From bf4a904b2f492055b45410149fa90d0d241d6b9d Mon Sep 17 00:00:00 2001 From: Nicolas Dreno Date: Wed, 13 May 2026 11:38:45 +0200 Subject: [PATCH] chore: replace tempdir with tempfile, clearing CVE RUSTSEC-2023-0018 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `tempdir` 0.3.7 has been deprecated for years and pulls in `remove_dir_all` 0.5.3, which has an unfixed race-condition CVE (RUSTSEC-2023-0018). Both reach the tree only via cargo-typify's integration tests (dev-dependency), so there's no production exposure, but cargo-deny rightly flags the chain. Swaps the dependency for `tempfile` 3.27 and updates the seven test sites to use `TempDir::with_prefix("cargo-typify")` instead of `TempDir::new("cargo-typify")` (preserving the prefix semantics). deny.toml drops the two now-irrelevant ignores (RUSTSEC-2018-0017 for tempdir itself, RUSTSEC-2023-0018 for the transitive CVE). Two ignores remain — `adler` and `paste` — both transitive dev-dep concerns we cannot resolve from our side; the comments explain the chain. --- CHANGELOG.adoc | 3 + Cargo.lock | 328 ++++++++++++++++++++++-------- Cargo.toml | 2 +- cargo-typify/Cargo.toml | 2 +- cargo-typify/tests/integration.rs | 16 +- deny.toml | 28 +-- 6 files changed, 260 insertions(+), 119 deletions(-) diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 26aa0e2c..8cb6c198 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -27,6 +27,9 @@ * replace panics in `ref_key()` and `convert_reference()` with proper error returns * generate Rust tuples from 2020-12 `prefixItems` + `items: false` (#955) +=== Chores +* replace deprecated `tempdir` dev-dependency with `tempfile`, clearing RUSTSEC-2023-0018 (`remove_dir_all` race-condition CVE) and RUSTSEC-2018-0017 from the advisory ignore list + === New features * JSON Schema `if`/`then`/`else` support via transformation to `oneOf` (#480) * JSON Schema 2020-12 and 2019-09 support via automatic normalization (#579) diff --git a/Cargo.lock b/Cargo.lock index 779b3a4f..2dfa8e69 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -90,6 +90,12 @@ dependencies = [ "windows-sys 0.52.0", ] +[[package]] +name = "anyhow" +version = "1.0.102" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c" + [[package]] name = "assert_cmd" version = "2.2.0" @@ -111,7 +117,7 @@ version = "0.4.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3ef1bb8d1b645fe38d51dfc331d720fb5fc2c94b440c76cc79c80ff265ca33e3" dependencies = [ - "rustix", + "rustix 0.38.28", "tempfile", "windows-sys 0.52.0", ] @@ -137,12 +143,6 @@ dependencies = [ "rustc-demangle", ] -[[package]] -name = "bitflags" -version = "1.3.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" - [[package]] name = "bitflags" version = "2.4.1" @@ -180,7 +180,7 @@ dependencies = [ "schemars", "semver", "serde_json", - "tempdir", + "tempfile", "typify", ] @@ -354,9 +354,9 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" -version = "0.3.8" +version = "0.3.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a258e46cdc063eb8519c00b9fc845fc47bcfca4130e2f08e88665ceda8474245" +checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", "windows-sys 0.52.0", @@ -407,9 +407,15 @@ dependencies = [ [[package]] name = "fastrand" -version = "2.0.1" +version = "2.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6" + +[[package]] +name = "foldhash" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "25cbce373ec4653f1a01a31e8a5e5ec0c622dc27ff9c4e6606eefef5cbbed4a5" +checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2" [[package]] name = "foldhash" @@ -418,10 +424,17 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb" [[package]] -name = "fuchsia-cprng" -version = "0.1.1" +name = "getrandom" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a06f77d526c1a601b7c4cdd98f54b5eaabffc14d5f2f0296febdc7f357c6d3ba" +checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555" +dependencies = [ + "cfg-if", + "libc", + "r-efi", + "wasip2", + "wasip3", +] [[package]] name = "gimli" @@ -435,6 +448,15 @@ version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280" +[[package]] +name = "hashbrown" +version = "0.15.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1" +dependencies = [ + "foldhash 0.1.5", +] + [[package]] name = "hashbrown" version = "0.16.0" @@ -443,7 +465,7 @@ checksum = "5419bdc4f6a9207fbeba6d11b604d481addf78ecd10c11ad51e76c2f6482748d" dependencies = [ "allocator-api2", "equivalent", - "foldhash", + "foldhash 0.2.0", ] [[package]] @@ -484,6 +506,12 @@ dependencies = [ "cc", ] +[[package]] +name = "id-arena" +version = "2.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954" + [[package]] name = "indenter" version = "0.3.3" @@ -497,7 +525,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6717a8d2a5a929a1a2eb43a12812498ed141a0bcfb7e8f7844fbdbe4303bba9f" dependencies = [ "equivalent", - "hashbrown", + "hashbrown 0.16.0", + "serde", + "serde_core", ] [[package]] @@ -560,11 +590,17 @@ version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" +[[package]] +name = "leb128fmt" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2" + [[package]] name = "libc" -version = "0.2.151" +version = "0.2.186" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "302d7ab3130588088d277783b1e2d2e10c9e9e4a16dd9050e6ec93fb3e7048f4" +checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66" [[package]] name = "linux-raw-sys" @@ -572,6 +608,12 @@ version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c4cd1a83af159aa67994778be9070f0ae1bd732942279cabb14f86f986a21456" +[[package]] +name = "linux-raw-sys" +version = "0.12.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53" + [[package]] name = "log" version = "0.4.29" @@ -715,50 +757,10 @@ dependencies = [ ] [[package]] -name = "rand" -version = "0.4.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "552840b97013b1a26992c11eac34bdd778e464601a4c2054b5f0bff7c6761293" -dependencies = [ - "fuchsia-cprng", - "libc", - "rand_core 0.3.1", - "rdrand", - "winapi", -] - -[[package]] -name = "rand_core" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a6fdeb83b075e8266dcc8762c22776f6877a63111121f5f8c7411e5be7eed4b" -dependencies = [ - "rand_core 0.4.2", -] - -[[package]] -name = "rand_core" -version = "0.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c33a3c44ca05fa6f1807d8e6743f3824e8509beca625669633be0acbdf509dc" - -[[package]] -name = "rdrand" -version = "0.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "678054eb77286b51581ba43620cc911abf02758c91f93f479767aed0f90458b2" -dependencies = [ - "rand_core 0.3.1", -] - -[[package]] -name = "redox_syscall" -version = "0.4.1" +name = "r-efi" +version = "6.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa" -dependencies = [ - "bitflags 1.3.2", -] +checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf" [[package]] name = "regex" @@ -795,19 +797,10 @@ version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "07948de9abc2e83adbeb7543c061a5ddaf7d944afcafbdd6e6b39aeacd40504b" dependencies = [ - "hashbrown", + "hashbrown 0.16.0", "memchr", ] -[[package]] -name = "remove_dir_all" -version = "0.5.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7" -dependencies = [ - "winapi", -] - [[package]] name = "rustc-demangle" version = "0.1.24" @@ -833,10 +826,23 @@ version = "0.38.28" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "72e572a5e8ca657d7366229cdde4bd14c4eb5499a9573d4d366fe1b599daa316" dependencies = [ - "bitflags 2.4.1", + "bitflags", "errno", "libc", - "linux-raw-sys", + "linux-raw-sys 0.4.12", + "windows-sys 0.52.0", +] + +[[package]] +name = "rustix" +version = "1.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190" +dependencies = [ + "bitflags", + "errno", + "libc", + "linux-raw-sys 0.12.1", "windows-sys 0.52.0", ] @@ -1036,27 +1042,17 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "591ef38edfb78ca4771ee32cf494cb8771944bee237a9b91fc9c1424ac4b777b" -[[package]] -name = "tempdir" -version = "0.3.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "15f2b5fb00ccdf689e0149d1b1b3c03fead81c2b37735d812fa8bddbbf41b6d8" -dependencies = [ - "rand", - "remove_dir_all", -] - [[package]] name = "tempfile" -version = "3.8.1" +version = "3.27.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ef1adac450ad7f4b3c28589471ade84f25f731a7a0fe30d71dfa9f60fd808e5" +checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd" dependencies = [ - "cfg-if", "fastrand", - "redox_syscall", - "rustix", - "windows-sys 0.48.0", + "getrandom", + "once_cell", + "rustix 1.1.4", + "windows-sys 0.52.0", ] [[package]] @@ -1357,6 +1353,12 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e51733f11c9c4f72aa0c160008246859e340b00807569a0da0e7a1079b27ba85" +[[package]] +name = "unicode-xid" +version = "0.2.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853" + [[package]] name = "utf8parse" version = "0.2.1" @@ -1397,6 +1399,24 @@ dependencies = [ "winapi-util", ] +[[package]] +name = "wasip2" +version = "1.0.3+wasi-0.2.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "20064672db26d7cdc89c7798c48a0fdfac8213434a1186e5ef29fd560ae223d6" +dependencies = [ + "wit-bindgen 0.57.1", +] + +[[package]] +name = "wasip3" +version = "0.4.0+wasi-0.3.0-rc-2026-01-06" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5" +dependencies = [ + "wit-bindgen 0.51.0", +] + [[package]] name = "wasm-bindgen" version = "0.2.89" @@ -1451,6 +1471,40 @@ version = "0.2.89" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7ab9b36309365056cd639da3134bf87fa8f3d86008abf99e612384a6eecd459f" +[[package]] +name = "wasm-encoder" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319" +dependencies = [ + "leb128fmt", + "wasmparser", +] + +[[package]] +name = "wasm-metadata" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909" +dependencies = [ + "anyhow", + "indexmap", + "wasm-encoder", + "wasmparser", +] + +[[package]] +name = "wasmparser" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe" +dependencies = [ + "bitflags", + "hashbrown 0.15.5", + "indexmap", + "semver", +] + [[package]] name = "winapi" version = "0.3.9" @@ -1710,6 +1764,100 @@ version = "0.7.14" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5a5364e9d77fcdeeaa6062ced926ee3381faa2ee02d3eb83a5c27a8825540829" +[[package]] +name = "wit-bindgen" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5" +dependencies = [ + "wit-bindgen-rust-macro", +] + +[[package]] +name = "wit-bindgen" +version = "0.57.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ebf944e87a7c253233ad6766e082e3cd714b5d03812acc24c318f549614536e" + +[[package]] +name = "wit-bindgen-core" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc" +dependencies = [ + "anyhow", + "heck", + "wit-parser", +] + +[[package]] +name = "wit-bindgen-rust" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21" +dependencies = [ + "anyhow", + "heck", + "indexmap", + "prettyplease", + "syn", + "wasm-metadata", + "wit-bindgen-core", + "wit-component", +] + +[[package]] +name = "wit-bindgen-rust-macro" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a" +dependencies = [ + "anyhow", + "prettyplease", + "proc-macro2", + "quote", + "syn", + "wit-bindgen-core", + "wit-bindgen-rust", +] + +[[package]] +name = "wit-component" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2" +dependencies = [ + "anyhow", + "bitflags", + "indexmap", + "log", + "serde", + "serde_derive", + "serde_json", + "wasm-encoder", + "wasm-metadata", + "wasmparser", + "wit-parser", +] + +[[package]] +name = "wit-parser" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736" +dependencies = [ + "anyhow", + "id-arena", + "indexmap", + "log", + "semver", + "serde", + "serde_derive", + "serde_json", + "unicode-xid", + "wasmparser", +] + [[package]] name = "zmij" version = "1.0.2" diff --git a/Cargo.toml b/Cargo.toml index e0dc9618..3b5fb61e 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -39,7 +39,7 @@ semver = "1.0.27" serde = "1.0.228" serde_json = "1.0.149" syn = { version = "2.0.117", features = ["full"] } -tempdir = "0.3.7" +tempfile = "3.27.0" thiserror = "2.0.18" trybuild = "1.0.116" unicode-ident = "1.0.24" diff --git a/cargo-typify/Cargo.toml b/cargo-typify/Cargo.toml index f350f5c1..9928f591 100644 --- a/cargo-typify/Cargo.toml +++ b/cargo-typify/Cargo.toml @@ -26,4 +26,4 @@ schemars = { workspace = true } assert_cmd = { workspace = true } expectorate = { workspace = true } newline-converter = { workspace = true } -tempdir = { workspace = true } +tempfile = { workspace = true } diff --git a/cargo-typify/tests/integration.rs b/cargo-typify/tests/integration.rs index 267994d1..34ecbed3 100644 --- a/cargo-typify/tests/integration.rs +++ b/cargo-typify/tests/integration.rs @@ -1,12 +1,12 @@ use expectorate::assert_contents; use newline_converter::dos2unix; -use tempdir::TempDir; +use tempfile::TempDir; #[test] fn test_simple() { let input = concat!(env!("CARGO_MANIFEST_DIR"), "/../example.json"); - let temp = TempDir::new("cargo-typify").unwrap(); + let temp = TempDir::with_prefix("cargo-typify").unwrap(); let input_file = temp.path().join("simple.json"); std::fs::copy(input, &input_file).unwrap(); @@ -26,7 +26,7 @@ fn test_simple() { fn test_default_output() { let input = concat!(env!("CARGO_MANIFEST_DIR"), "/../example.json"); - let temp = TempDir::new("cargo-typify").unwrap(); + let temp = TempDir::with_prefix("cargo-typify").unwrap(); let output_file = temp.path().join("output.rs"); assert_cmd::cargo::cargo_bin_cmd!() @@ -59,7 +59,7 @@ fn test_no_builder_stdout() { fn test_builder() { let input = concat!(env!("CARGO_MANIFEST_DIR"), "/../example.json"); - let temp = TempDir::new("cargo-typify").unwrap(); + let temp = TempDir::with_prefix("cargo-typify").unwrap(); let output_file = temp.path().join("output.rs"); assert_cmd::cargo::cargo_bin_cmd!() @@ -82,7 +82,7 @@ fn test_builder() { fn test_derive() { let input = concat!(env!("CARGO_MANIFEST_DIR"), "/../example.json"); - let temp = TempDir::new("cargo-typify").unwrap(); + let temp = TempDir::with_prefix("cargo-typify").unwrap(); let output_file = temp.path().join("output.rs"); assert_cmd::cargo::cargo_bin_cmd!() @@ -107,7 +107,7 @@ fn test_derive() { fn test_attr() { let input = concat!(env!("CARGO_MANIFEST_DIR"), "/../example.json"); - let temp = TempDir::new("cargo-typify").unwrap(); + let temp = TempDir::with_prefix("cargo-typify").unwrap(); let output_file = temp.path().join("output.rs"); assert_cmd::cargo::cargo_bin_cmd!() @@ -132,7 +132,7 @@ fn test_attr() { fn test_multi_derive() { let input = concat!(env!("CARGO_MANIFEST_DIR"), "/../example.json"); - let temp = TempDir::new("cargo-typify").unwrap(); + let temp = TempDir::with_prefix("cargo-typify").unwrap(); let output_file = temp.path().join("output.rs"); assert_cmd::cargo::cargo_bin_cmd!() @@ -173,7 +173,7 @@ fn test_help() { fn test_btree_map() { let input = concat!(env!("CARGO_MANIFEST_DIR"), "/../example.json"); - let temp = TempDir::new("cargo-typify").unwrap(); + let temp = TempDir::with_prefix("cargo-typify").unwrap(); let output_file = temp.path().join("output.rs"); assert_cmd::cargo::cargo_bin_cmd!() diff --git a/deny.toml b/deny.toml index 81028884..23b6a462 100644 --- a/deny.toml +++ b/deny.toml @@ -1,30 +1,20 @@ # cargo-deny configuration. # -# CI runs `cargo deny check advisories`. The ignore list below covers -# unmaintained-crate advisories and one CVE that all enter the tree -# transitively through dev-dependencies; none affect published crate -# code paths. Re-evaluate when bumping or removing the cited dep. +# CI runs `cargo deny check advisories`. The remaining ignore list +# covers two unmaintained-crate advisories that we cannot clear from +# our side: both come in transitively via dev-dependencies that we +# don't control. Re-evaluate when bumping or removing the cited dep. [advisories] ignore = [ # adler 1.0.2 — unmaintained, superseded by adler2. - # Pulled in transitively by miniz_oxide. Wait for the ecosystem to - # migrate (mostly through flate2/png updates). + # Pulled in transitively by miniz_oxide (→ flate2/png). Waiting on + # the ecosystem to migrate; nothing to do on our end. "RUSTSEC-2025-0056", # paste 1.0.15 — unmaintained, see pastey / with_builtin_macros. - # Used by both typify's generated code (paste in workspace deps) - # and several transitive deps. Worth replacing in generated output. + # Pulled in transitively by schema-derive (a dev-dep of + # typify-impl). Cannot clear without dropping the `schema` test + # crate or waiting for it to migrate. Not a security issue. "RUSTSEC-2024-0436", - - # tempdir 0.3.7 — deprecated in favour of tempfile. - # Dev-dependency of cargo-typify only (integration tests). TODO: - # swap to tempfile and drop both this and RUSTSEC-2023-0018. - "RUSTSEC-2018-0017", - - # remove_dir_all 0.5.3 — race-condition CVE. - # Reaches the tree only via tempdir (above) in cargo-typify dev - # tests. No production code path. Cleared automatically once the - # tempdir → tempfile swap above lands. - "RUSTSEC-2023-0018", ]