Running cargo audit on the 0.8.6 tag shows the following vulnerability:
Fetching advisories `https://raw.githubusercontent.com/RustSec/advisory-db/master/Advisories.toml`
Scanning 135 crates for vulnerabilities (8 advisories in database)
Warning Vulnerable crates found!
ID: RUSTSEC-2018-0003
Crate: smallvec
Version: 0.2.1
Date: 2018-07-19
URL: https://github.com/servo/rust-smallvec/issues/96
Title: Possible double free during unwinding in SmallVec::insert_many
Solution: upgrade to: >= 0.6.3, ^0.3.4, ^0.4.5, ^0.5.1
error: 1 vulnerability found!
This is already fixed in master thanks to the hyper 0.12 upgrade.
I have some crates that depend on reqewset 0.8.6. Can we expect a new release in the near future?
Hm, reqwest doesn't use smallvec directly. Do you know which in the dependency tree does?
Yes: reqwest v0.8.6 -> hyper v0.11.27 -> tokio-proto v0.1.1 -> smallvec v0.2.1
Oh boy, tokio-proto is kinda dead... I can't release reqwest with the hyper upgrade yet (see 0.9 milestone to see blockers), but let's see if we can just fix these dependencies...
Alright, so both hyper and tokio-tls, which depended on tokio-proto, actually had those dependencies as optional, so I've disabled them for reqwest. This shouldn't affect anyone who is using those features themselves, it just means that if you aren't, since reqwest wasn't using them, they won't be included. Doing that shows that a fresh build of reqwest by itself no longer includes smallvec. v0.8.7 has been released with this change.
Great, thanks a lot @seanmonstar! :tada:
Most helpful comment
Oh boy, tokio-proto is kinda dead... I can't release reqwest with the hyper upgrade yet (see 0.9 milestone to see blockers), but let's see if we can just fix these dependencies...