Skip to content

Dependency tree vulnerability #137

Description

@FreeMasen

The transitive dependency of rkyv has encountered a RUSTSEC Advisory, this doesn't seem to be something that consumers have any control over opting out of. It appears to be an optional dependency of the rust_decimal crate which means it could either be disabled by xee or feature-gated to allow consumers to enable it

cargo audit
Crate:     rkyv
Version:   0.7.45
Title:     Potential Undefined Behaviors in `Arc<T>`/`Rc<T>` impls of `from_value` on OOM
Date:      2026-01-05
ID:        RUSTSEC-2026-0001
URL:       https://rustsec.org/advisories/RUSTSEC-2026-0001
Solution:  Upgrade to >=0.8.13
Dependency tree:
rkyv 0.7.45
└── rust_decimal 1.39.0
    ├── xee-xpath-lexer 0.1.3
    │   └── xee-xpath-ast 0.1.3
    │       ├── xee-xpath-macros 0.1.3
    │       │   └── xee-interpreter 0.1.5
    │       │       ├── xee-xpath-compiler 0.1.4
    │       │       │   └── xee-xpath 0.1.4
    │       │       ├── xee-xpath 0.1.4
    │       │       └── xee-ir 0.1.4
    │       │           ├── xee-xpath-compiler 0.1.4
    │       │           └── xee-xpath 0.1.4
    │       ├── xee-xpath-compiler 0.1.4
    │       ├── xee-xpath 0.1.4
    │       ├── xee-ir 0.1.4
    │       └── xee-interpreter 0.1.5
    ├── xee-xpath-compiler 0.1.4
    ├── xee-xpath-ast 0.1.3
    ├── xee-xpath 0.1.4
    ├── xee-ir 0.1.4
    └── xee-interpreter 0.1.5

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions