chore(deps): update rkyv, closes #14734 #14736
Merged
GitHub Actions / Security audit
failed
Jan 6, 2026 in 0s
Security advisories found
1 advisory(ies), 19 unmaintained, 1 other
Details
Vulnerabilities
RUSTSEC-2026-0001
Potential Undefined Behaviors in
Arc<T>/Rc<T>impls offrom_valueon OOM
| Details | |
|---|---|
| Package | rkyv |
| Version | 0.7.46 |
| URL | rkyv/rkyv#644 |
| Date | 2026-01-05 |
| Patched versions | >=0.8.13 |
The SharedPointer::alloc implementation for sync::Arc<T> and rc::Rc<T> in rkyv/src/impls/alloc/rc/atomic.rs (and rc.rs) does not check if the allocator returns a null pointer on OOM (Out of Memory).
This null pointer can flow through to SharedPointer::from_value, which calls Box::from_raw(ptr) with the null pointer. This triggers undefined behavior when utilizing safe deserialization APIs (such as rkyv::from_bytes or rkyv::deserialize_using) if an OOM condition occurs during the allocation of the shared pointer.
The issue is reachable through safe code and violates Rust's safety guarantees.
Warnings
RUSTSEC-2024-0413
gtk-rs GTK3 bindings - no longer maintained
| Details | |
|---|---|
| Status | unmaintained |
| Package | atk |
| Version | 0.18.2 |
| URL | gtk-rs/gtk3-rs@508a69b |
| Date | 2024-03-04 |
The gtk-rs GTK3 bindings are no longer maintained.
The maintainers have archived the repository, and added a note to the crate
description and its README.md that the crates are no longer maintained.
Please take a look at gtk4-rs instead.
### [RUSTSEC-2024-0416](https://rustsec.org/advisories/RUSTSEC-2024-0416.html)
> gtk-rs GTK3 bindings - no longer maintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `atk-sys` |
| Version | `0.18.2` |
| URL | [https://github.com/gtk-rs/gtk3-rs/commit/508a69b63a3c5bf73790e0e59101a955847f30d6](https://github.com/gtk-rs/gtk3-rs/commit/508a69b63a3c5bf73790e0e59101a955847f30d6) |
| Date | 2024-03-04 |
The gtk-rs GTK3 bindings are no longer maintained.
The maintainers have archived the repository, and added a note to the crate
description and its README.md that the crates are no longer maintained.
Please take a look at [gtk4-rs](https://github.com/gtk-rs/gtk4-rs) instead.
RUSTSEC-2025-0057
fxhash - no longer maintained
| Details | |
|---|---|
| Status | unmaintained |
| Package | fxhash |
| Version | 0.2.1 |
| URL | cbreeden/fxhash#20 |
| Date | 2025-09-05 |
The fxhash crate is no longer maintained.
The repository is stale and owner is no longer active on GitHub.
Please take a look at rustc-hash instead.
### [RUSTSEC-2024-0412](https://rustsec.org/advisories/RUSTSEC-2024-0412.html)
> gtk-rs GTK3 bindings - no longer maintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `gdk` |
| Version | `0.18.2` |
| URL | [https://github.com/gtk-rs/gtk3-rs/commit/508a69b63a3c5bf73790e0e59101a955847f30d6](https://github.com/gtk-rs/gtk3-rs/commit/508a69b63a3c5bf73790e0e59101a955847f30d6) |
| Date | 2024-03-04 |
The gtk-rs GTK3 bindings are no longer maintained.
The maintainers have archived the repository, and added a note to the crate
description and its README.md that the crates are no longer maintained.
Please take a look at [gtk4-rs](https://github.com/gtk-rs/gtk4-rs) instead.
RUSTSEC-2024-0418
gtk-rs GTK3 bindings - no longer maintained
| Details | |
|---|---|
| Status | unmaintained |
| Package | gdk-sys |
| Version | 0.18.2 |
| URL | gtk-rs/gtk3-rs@508a69b |
| Date | 2024-03-04 |
The gtk-rs GTK3 bindings are no longer maintained.
The maintainers have archived the repository, and added a note to the crate
description and its README.md that the crates are no longer maintained.
Please take a look at gtk4-rs instead.
### [RUSTSEC-2024-0411](https://rustsec.org/advisories/RUSTSEC-2024-0411.html)
> gtk-rs GTK3 bindings - no longer maintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `gdkwayland-sys` |
| Version | `0.18.2` |
| URL | [https://github.com/gtk-rs/gtk3-rs/commit/508a69b63a3c5bf73790e0e59101a955847f30d6](https://github.com/gtk-rs/gtk3-rs/commit/508a69b63a3c5bf73790e0e59101a955847f30d6) |
| Date | 2024-03-04 |
The gtk-rs GTK3 bindings are no longer maintained.
The maintainers have archived the repository, and added a note to the crate
description and its README.md that the crates are no longer maintained.
Please take a look at [gtk4-rs](https://github.com/gtk-rs/gtk4-rs) instead.
RUSTSEC-2024-0417
gtk-rs GTK3 bindings - no longer maintained
| Details | |
|---|---|
| Status | unmaintained |
| Package | gdkx11 |
| Version | 0.18.2 |
| URL | gtk-rs/gtk3-rs@508a69b |
| Date | 2024-03-04 |
The gtk-rs GTK3 bindings are no longer maintained.
The maintainers have archived the repository, and added a note to the crate
description and its README.md that the crates are no longer maintained.
Please take a look at gtk4-rs instead.
### [RUSTSEC-2024-0414](https://rustsec.org/advisories/RUSTSEC-2024-0414.html)
> gtk-rs GTK3 bindings - no longer maintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `gdkx11-sys` |
| Version | `0.18.2` |
| URL | [https://github.com/gtk-rs/gtk3-rs/commit/508a69b63a3c5bf73790e0e59101a955847f30d6](https://github.com/gtk-rs/gtk3-rs/commit/508a69b63a3c5bf73790e0e59101a955847f30d6) |
| Date | 2024-03-04 |
The gtk-rs GTK3 bindings are no longer maintained.
The maintainers have archived the repository, and added a note to the crate
description and its README.md that the crates are no longer maintained.
Please take a look at [gtk4-rs](https://github.com/gtk-rs/gtk4-rs) instead.
RUSTSEC-2024-0415
gtk-rs GTK3 bindings - no longer maintained
| Details | |
|---|---|
| Status | unmaintained |
| Package | gtk |
| Version | 0.18.2 |
| URL | gtk-rs/gtk3-rs@508a69b |
| Date | 2024-03-04 |
The gtk-rs GTK3 bindings are no longer maintained.
The maintainers have archived the repository, and added a note to the crate
description and its README.md that the crates are no longer maintained.
Please take a look at gtk4-rs instead.
### [RUSTSEC-2024-0420](https://rustsec.org/advisories/RUSTSEC-2024-0420.html)
> gtk-rs GTK3 bindings - no longer maintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `gtk-sys` |
| Version | `0.18.2` |
| URL | [https://github.com/gtk-rs/gtk3-rs/commit/508a69b63a3c5bf73790e0e59101a955847f30d6](https://github.com/gtk-rs/gtk3-rs/commit/508a69b63a3c5bf73790e0e59101a955847f30d6) |
| Date | 2024-03-04 |
The gtk-rs GTK3 bindings are no longer maintained.
The maintainers have archived the repository, and added a note to the crate
description and its README.md that the crates are no longer maintained.
Please take a look at [gtk4-rs](https://github.com/gtk-rs/gtk4-rs) instead.
RUSTSEC-2024-0419
gtk-rs GTK3 bindings - no longer maintained
| Details | |
|---|---|
| Status | unmaintained |
| Package | gtk3-macros |
| Version | 0.18.2 |
| URL | gtk-rs/gtk3-rs@508a69b |
| Date | 2024-03-04 |
The gtk-rs GTK3 bindings are no longer maintained.
The maintainers have archived the repository, and added a note to the crate
description and its README.md that the crates are no longer maintained.
Please take a look at gtk4-rs instead.
### [RUSTSEC-2024-0436](https://rustsec.org/advisories/RUSTSEC-2024-0436.html)
> paste - no longer maintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `paste` |
| Version | `1.0.15` |
| URL | [https://github.com/dtolnay/paste](https://github.com/dtolnay/paste) |
| Date | 2024-10-07 |
The creator of the crate `paste` has stated in the [`README.md`](https://github.com/dtolnay/paste/blob/master/README.md)
that this project is not longer maintained as well as archived the repository
## Possible Alternative(s)
- [pastey](https://crates.io/crates/pastey), a fork of paste and is aimed to be a drop-in replacement with additional features for paste crate
### [RUSTSEC-2025-0134](https://rustsec.org/advisories/RUSTSEC-2025-0134.html)
> rustls-pemfile is unmaintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `rustls-pemfile` |
| Version | `1.0.4` |
| URL | [https://github.com/rustls/pemfile/issues/61](https://github.com/rustls/pemfile/issues/61) |
| Date | 2025-11-28 |
The rustls-pemfile crate is no longer maintained. The repository has been archived since August
2025, and users are encouraged to depend directly on the underlying PEM parsing code included
in rustls-pki-types since 1.9.0. The latest version of rustls-pemfile is in fact a thin wrapper
around the same code used in rustls-pki-types, so migrating should be straightforward.
The new API is represented by the [`PemObject`][PemObject] trait, which provides methods for
reading a single or multiple PEM objects from a file or byte slice.
[PemObject]: https://docs.rs/rustls-pki-types/latest/rustls_pki_types/pem/trait.PemObject.html
### [RUSTSEC-2025-0134](https://rustsec.org/advisories/RUSTSEC-2025-0134.html)
> rustls-pemfile is unmaintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `rustls-pemfile` |
| Version | `2.2.0` |
| URL | [https://github.com/rustls/pemfile/issues/61](https://github.com/rustls/pemfile/issues/61) |
| Date | 2025-11-28 |
The rustls-pemfile crate is no longer maintained. The repository has been archived since August
2025, and users are encouraged to depend directly on the underlying PEM parsing code included
in rustls-pki-types since 1.9.0. The latest version of rustls-pemfile is in fact a thin wrapper
around the same code used in rustls-pki-types, so migrating should be straightforward.
The new API is represented by the [`PemObject`][PemObject] trait, which provides methods for
reading a single or multiple PEM objects from a file or byte slice.
[PemObject]: https://docs.rs/rustls-pki-types/latest/rustls_pki_types/pem/trait.PemObject.html
### [RUSTSEC-2025-0081](https://rustsec.org/advisories/RUSTSEC-2025-0081.html)
> `unic-char-property` is unmaintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `unic-char-property` |
| Version | `0.9.0` |
| URL | [https://github.com/rustsec/advisory-db/issues/2414](https://github.com/rustsec/advisory-db/issues/2414) |
| Date | 2025-10-18 |
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained.
## Recommended alternatives
- [`icu_properties`](https://crates.io/crates/icu_properties)
### [RUSTSEC-2025-0075](https://rustsec.org/advisories/RUSTSEC-2025-0075.html)
> `unic-char-range` is unmaintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `unic-char-range` |
| Version | `0.9.0` |
| URL | [https://github.com/rustsec/advisory-db/issues/2414](https://github.com/rustsec/advisory-db/issues/2414) |
| Date | 2025-10-18 |
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained.
## Recommended alternatives
- Since version [1.45.0](https://releases.rs/docs/1.45.0/#libraries) Rust [supports](https://github.com/rust-lang/rust/pull/72413/) using `char` with `ops::{Range, RangeFrom, RangeFull, RangeInclusive, RangeTo}` to iterate over a range of codepoints.
### [RUSTSEC-2025-0080](https://rustsec.org/advisories/RUSTSEC-2025-0080.html)
> `unic-common` is unmaintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `unic-common` |
| Version | `0.9.0` |
| URL | [https://github.com/rustsec/advisory-db/issues/2414](https://github.com/rustsec/advisory-db/issues/2414) |
| Date | 2025-10-18 |
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained.
### [RUSTSEC-2025-0100](https://rustsec.org/advisories/RUSTSEC-2025-0100.html)
> `unic-ucd-ident` is unmaintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `unic-ucd-ident` |
| Version | `0.9.0` |
| URL | [https://github.com/rustsec/advisory-db/issues/2414](https://github.com/rustsec/advisory-db/issues/2414) |
| Date | 2025-10-18 |
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained.
## Recommended alternatives
- [`icu_properties`](https://crates.io/crates/icu_properties)
- [`unicode-ident`](https://crates.io/crates/unicode-ident)
### [RUSTSEC-2025-0098](https://rustsec.org/advisories/RUSTSEC-2025-0098.html)
> `unic-ucd-version` is unmaintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `unic-ucd-version` |
| Version | `0.9.0` |
| URL | [https://github.com/rustsec/advisory-db/issues/2414](https://github.com/rustsec/advisory-db/issues/2414) |
| Date | 2025-10-18 |
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained.
Loading