Security vulnerability in time 0.1

[faro-dr]

There is an indirect dependency on the time crate version 0.1 which has security vulnerability https://rustsec.org/advisories/RUSTSEC-2020-0071

This is the dependency tree:

time v0.1.45
└── hyper-old-types v0.11.0
    └── swagger v6.3.0

Not sure if this can be fixed in hyper-old-types or if this menas that the dependency on hyper-old-types should be removed.

[matt-williams-ms]

Thanks for raising this!

Since some of hyper-old-types types are re-exported by swagger-rs, removing the dependency on hyper-old-types would be a breaking change, which we'd need to manage carefully. This is probably the right long-term direction, though - @richardwhiuk, do you agree?

Looking at the code, the only dependencies that swagger-rs has on hyper-old-types is for the Authorization header and its related basic, bearer, raw and scheme types. The dependency that hyper-old-types has on time is related to the Date header. As a result, I don't think swagger-rs is actually vulnerable to https://rustsec.org/advisories/RUSTSEC-2020-0071... but it would be good to get this tidied up anyway!

[richardwhiuk]

Yes, plan is to take https://github.com/Metaswitch/swagger-rs/pull/158/files at the point we take hyper 1.x, or push a fix to hyper-old-types which doesn't depend on time 0.1.