Skip to content

Security: request bump of to >=0.3.20 (RUSTSEC-2025-0055) #90

Open
Open
Security: request bump of to >=0.3.20 (RUSTSEC-2025-0055)#90
@joker00099

Description

@joker00099
joker00099
opened on Jan 19, 2026

Hello maintainers,

�[0m�[0m�[1m�[31mCrate: �[0m tracing-subscriber
�[0m�[0m�[1m�[31mVersion: �[0m 0.2.25
�[0m�[0m�[1m�[31mTitle: �[0m Logging user input may result in poisoning logs with ANSI escape sequences
�[0m�[0m�[1m�[31mDate: �[0m 2025-08-29
�[0m�[0m�[1m�[31mID: �[0m RUSTSEC-2025-0055
�[0m�[0m�[1m�[31mURL: �[0m https://rustsec.org/advisories/RUSTSEC-2025-0055
�[0m�[0m�[1m�[31mSolution: �[0m Upgrade to >=0.3.20
�[0m�[0m�[1m�[31mDependency tree:
�[0mtracing-subscriber 0.2.25
└── ark-relations 0.5.1
├── qubit-core 1.0.0
├── ark-snark 0.5.1
│ ├── qubit-core 1.0.0
│ └── ark-crypto-primitives 0.5.0
│ └── ark-groth16 0.5.0
│ └── qubit-core 1.0.0
├── ark-groth16 0.5.0
└── ark-crypto-primitives 0.5.0

�[0m�[0m�[1m�[33mCrate: �[0m bincode
�[0m�[0m�[1m�[33mVersion: �[0m 1.3.3
�[0m�[0m�[1m�[33mWarning: �[0m unmaintained
�[0m�[0m�[1m�[33mTitle: �[0m Bincode is unmaintained
�[0m�[0m�[1m�[33mDate: �[0m 2025-12-16
�[0m�[0m�[1m�[33mID: �[0m RUSTSEC-2025-0141
�[0m�[0m�[1m�[33mURL: �[0m https://rustsec.org/advisories/RUSTSEC-2025-0141
�[0m�[0m�[1m�[33mDependency tree:
�[0mbincode 1.3.3
└── qubit-core 1.0.0

�[0m�[0m�[1m�[33mCrate: �[0m derivative
�[0m�[0m�[1m�[33mVersion: �[0m 2.2.0
�[0m�[0m�[1m�[33mWarning: �[0m unmaintained
�[0m�[0m�[1m�[33mTitle: �[0m derivative is unmaintained; consider using an alternative
�[0m�[0m�[1m�[33mDate: �[0m 2024-06-26
�[0m�[0m�[1m�[33mID: �[0m RUSTSEC-2024-0388
�[0m�[0m�[1m�[33mURL: �[0m https://rustsec.org/advisories/RUSTSEC-2024-0388
�[0m�[0m�[1m�[33mDependency tree:
�[0mderivative 2.2.0
└── ark-crypto-primitives 0.5.0
└── ark-groth16 0.5.0
└── qubit-core 1.0.0

�[0m�[0m�[1m�[33mCrate: �[0m fxhash
�[0m�[0m�[1m�[33mVersion: �[0m 0.2.1
�[0m�[0m�[1m�[33mWarning: �[0m unmaintained
�[0m�[0m�[1m�[33mTitle: �[0m fxhash - no longer maintained
�[0m�[0m�[1m�[33mDate: �[0m 2025-09-05
�[0m�[0m�[1m�[33mID: �[0m RUSTSEC-2025-0057
�[0m�[0m�[1m�[33mURL: �[0m https://rustsec.org/advisories/RUSTSEC-2025-0057
�[0m�[0m�[1m�[33mDependency tree:
�[0mfxhash 0.2.1
└── sled 0.34.7
└── qubit-core 1.0.0

�[0m�[0m�[1m�[33mCrate: �[0m instant
�[0m�[0m�[1m�[33mVersion: �[0m 0.1.13
�[0m�[0m�[1m�[33mWarning: �[0m unmaintained
�[0m�[0m�[1m�[33mTitle: �[0m instant is unmaintained
�[0m�[0m�[1m�[33mDate: �[0m 2024-09-01
�[0m�[0m�[1m�[33mID: �[0m RUSTSEC-2024-0384
�[0m�[0m�[1m�[33mURL: �[0m https://rustsec.org/advisories/RUSTSEC-2024-0384
�[0m�[0m�[1m�[33mDependency tree:
�[0minstant 0.1.13
├── parking_lot_core 0.8.6
│ └── parking_lot 0.11.2
│ └── sled 0.34.7
│ └── qubit-core 1.0.0
└── parking_lot 0.11.2

�[0m�[0m�[1m�[33mCrate: �[0m paste
�[0m�[0m�[1m�[33mVersion: �[0m 1.0.15
�[0m�[0m�[1m�[33mWarning: �[0m unmaintained
�[0m�[0m�[1m�[33mTitle: �[0m paste - no longer maintained
�[0m�[0m�[1m�[33mDate: �[0m 2024-10-07
�[0m�[0m�[1m�[33mID: �[0m RUSTSEC-2024-0436
�[0m�[0m�[1m�[33mURL: �[0m https://rustsec.org/advisories/RUSTSEC-2024-0436
�[0m�[0m�[1m�[33mDependency tree:
�[0mpaste 1.0.15
├── netlink-packet-utils 0.5.2
│ ├── rtnetlink 0.13.1
│ │ └── if-watch 3.2.1
│ │ ├── libp2p-tcp 0.44.0
│ │ │ └── libp2p 0.56.0
│ │ │ └── qubit-core 1.0.0
│ │ ├── libp2p-quic 0.13.0
│ │ │ └── libp2p 0.56.0
│ │ └── libp2p-mdns 0.48.0
│ │ └── libp2p 0.56.0
│ ├── netlink-packet-route 0.17.1
│ │ ├── rtnetlink 0.13.1
│ │ └── if-watch 3.2.1
│ └── netlink-packet-core 0.7.0
│ ├── rtnetlink 0.13.1
│ ├── netlink-proto 0.11.5
│ │ ├── rtnetlink 0.13.1
│ │ └── if-watch 3.2.1
│ ├── netlink-packet-route 0.17.1
│ └── if-watch 3.2.1
└── ark-ff 0.5.0
├── qubit-core 1.0.0
├── ark-snark 0.5.1
│ ├── qubit-core 1.0.0
│ └── ark-crypto-primitives 0.5.0
│ └── ark-groth16 0.5.0
│ └── qubit-core 1.0.0
├── ark-relations 0.5.1
│ ├── qubit-core 1.0.0
│ ├── ark-snark 0.5.1
│ ├── ark-groth16 0.5.0
│ └── ark-crypto-primitives 0.5.0
├── ark-poly 0.5.0
│ ├── ark-groth16 0.5.0
│ └── ark-ec 0.5.0
│ ├── qubit-core 1.0.0
│ ├── ark-groth16 0.5.0
│ ├── ark-crypto-primitives 0.5.0
│ └── ark-bls12-381 0.5.0
│ └── qubit-core 1.0.0
├── ark-groth16 0.5.0
├── ark-ec 0.5.0
├── ark-crypto-primitives 0.5.0
└── ark-bls12-381 0.5.0

�[0m�[0m�[1m�[33mCrate: �[0m lru
�[0m�[0m�[1m�[33mVersion: �[0m 0.12.5
�[0m�[0m�[1m�[33mWarning: �[0m unsound
�[0m�[0m�[1m�[33mTitle: �[0m IterMut violates Stacked Borrows by invalidating internal pointer
�[0m�[0m�[1m�[33mDate: �[0m 2026-01-07
�[0m�[0m�[1m�[33mID: �[0m RUSTSEC-2026-0002
�[0m�[0m�[1m�[33mURL: �[0m https://rustsec.org/advisories/RUSTSEC-2026-0002
�[0m�[0m�[1m�[33mDependency tree:
�[0mlru 0.12.5
└── libp2p-swarm 0.47.0
├── libp2p-upnp 0.5.0
│ └── libp2p 0.56.0
│ └── qubit-core 1.0.0
├── libp2p-request-response 0.29.0
│ └── libp2p 0.56.0
├── libp2p-metrics 0.17.0
│ └── libp2p 0.56.0
├── libp2p-mdns 0.48.0
│ └── libp2p 0.56.0
├── libp2p-kad 0.48.0
│ ├── libp2p-metrics 0.17.0
│ └── libp2p 0.56.0
├── libp2p-identify 0.47.0
│ ├── libp2p-metrics 0.17.0
│ └── libp2p 0.56.0
├── libp2p-gossipsub 0.49.2
│ ├── libp2p-metrics 0.17.0
│ └── libp2p 0.56.0
├── libp2p-connection-limits 0.6.0
│ └── libp2p 0.56.0
├── libp2p-allow-block-list 0.6.0
│ └── libp2p 0.56.0
└── libp2p 0.56.0 on a downstream project found advisory RUSTSEC-2025-0055: allows ANSI escape sequences to poison logs. Upgrading to is recommended.

Downstream dependency tree (example):

Could you consider bumping (or releasing a patch) so downstream users avoid this advisory? I'm happy to help prepare a PR if that'd help.

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions