From c5b3bfb2c75c8b52687586337466e7be3e610491 Mon Sep 17 00:00:00 2001
From: Quentin Perez <quentin@zen.ly>
Date: Thu, 30 Dec 2021 16:49:01 +0100
Subject: [PATCH] Bump lru to 0.7.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The advisory script brought up a RUSTSEC error:

---
error[A001]: Use after free in lru crate
    ┌─ /home/haptop/Developer/radicle-link/Cargo.lock:207:1
    │
207 │ lru 0.6.6 registry+https://github.com/rust-lang/crates.io-index
    │ --------------------------------------------------------------- security vulnerability detected
    │
    = ID: RUSTSEC-2021-0130
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0130
    = Lru crate has use after free vulnerability.

      Lru crate has two functions for getting an iterator. Both iterators give
      references to key and value. Calling specific functions, like pop(), will remove
      and free the value, and but it's still possible to access the reference of value
      which is already dropped causing use after free.
    = Announcement: jeromefroe/lru-rs#120
    = Solution: Upgrade to >=0.7.1
---

This patch follows the recommended solution and pins the `lru` crate
to 0.7.1.
---
 Cargo.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Cargo.toml b/Cargo.toml
index b7c3dc18..252f32f6 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -66,7 +66,7 @@ smol_str = { version = "0.1.21", optional = true }
 
 # Non-feature optional dependencies
 blocking = { version = "1.0.2", optional = true }
-lru = { version = "0.6.5", optional = true }
+lru = { version = "0.7.1", optional = true }
 sha2 = { version = "0.9.3", optional = true }
 futures-timer = { version = "3.0.2", optional = true }
 futures-channel = { version = "0.3.13", optional = true }