gcomte / dingir-exchange Goto Github PK
View Code? Open in Web Editor NEWThis project forked from fluidex/dingir-exchange
A high performance crypto trading engine
This project forked from fluidex/dingir-exchange
A high performance crypto trading engine
Potential segfault in
localtime_r
invocations
Details | |
---|---|
Package | chrono |
Version | 0.4.19 |
URL | chronotope/chrono#499 |
Date | 2020-11-10 |
Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
No workarounds are known.
See advisory page for additional details.
dotenv is Unmaintained
Details | |
---|---|
Status | unmaintained |
Package | dotenv |
Version | 0.15.0 |
URL | dotenv-rs/dotenv#74 |
Date | 2021-12-24 |
dotenv by description is meant to be used in development or testing only.
Using this in production may or may not be advisable.
The below may or may not be feasible alternative(s):
See advisory page for additional details.
Fix test admin-rights-test for REST call /tradepairs
(adding a new market) in examples/js/tests/authorization.ts
.
Should become a copy-paste issue once fluidex#371 is fixed.
Since we use Keycloak as our user authentication service, we are pushed into using UUIDs as user ids. These are rather long and therefore not as performant as simple integers, which itself may have to change in order to increase the performance of the matchengine.
But this issue is about a performance-bug that should be fixed even with using UUIDs: We store the UUIDs as VARCHAR(36)
in the PostgreSQL database, which is bad practice, and should be fixed.
To achieve this, the DB user_id fields should be set to be of type UUID rather than VARCHAR(36); check out the scripts in the migrations
-folder for this.
Then, it would probably make sense to use a UUID-datatype in Rust too, in the file src/storage/models.rs
, and get the application and the DB to understand each others datatype.
ansi_term is Unmaintained
Details | |
---|---|
Status | unmaintained |
Package | ansi_term |
Version | 0.12.1 |
URL | ogham/rust-ansi-term#72 |
Date | 2021-08-18 |
The maintainer has adviced this crate is deprecated and will not
receive any maintenance.
The crate does not seem to have much dependencies and may or may not be ok to use as-is.
Last release seems to have been three years ago.
The below list has not been vetted in any way and may or may not contain alternatives;
See advisory page for additional details.
Integer overflow in the bundled Brotli C library
Details | |
---|---|
Package | brotli-sys |
Version | 0.3.2 |
URL | bitemyapp/brotli2-rs#45 |
Date | 2021-12-20 |
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB.
An updated version of brotli-sys
has not been released. If one cannot update the C library, its authors recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
In Rust the issue can be mitigated by migrating to the brotli
crate, which provides a Rust implementation of Brotli compression and decompression that is not affected by this issue.
See advisory page for additional details.
Potential segfault in the time crate
Details | |
---|---|
Package | time |
Version | 0.1.44 |
URL | time-rs/time#293 |
Date | 2020-11-18 |
Patched versions | >=0.2.23 |
Unaffected versions | =0.2.0,=0.2.1,=0.2.2,=0.2.3,=0.2.4,=0.2.5,=0.2.6 |
Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
The affected functions from time 0.2.7 through 0.2.22 are:
time::UtcOffset::local_offset_at
time::UtcOffset::try_local_offset_at
time::UtcOffset::current_local_offset
time::UtcOffset::try_current_local_offset
time::OffsetDateTime::now_local
time::OffsetDateTime::try_now_local
The affected functions in time 0.1 (all versions) are:
at
at_utc
now
Non-Unix targets (including Windows and wasm) are unaffected.
Pending a proper fix, the internal method that determines the local offset has been modified to always return None
on the affected operating systems. This has the effect of returning an Err
on the try_*
methods and UTC
on the non-try_*
methods.
Users and library authors with time in their dependency tree should perform cargo update
, which will pull in the updated, unaffected code.
Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.
No workarounds are known.
See advisory page for additional details.
Instead of suppressing console.log()
in examples/js/tests/authorization.ts, let's work with log levels to get a clean output in the test suite.
stdweb is unmaintained
Details | |
---|---|
Status | unmaintained |
Package | stdweb |
Version | 0.4.20 |
URL | koute/stdweb#403 |
Date | 2020-05-04 |
The author of the stdweb
crate is unresponsive.
Maintained alternatives:
See advisory page for additional details.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.