Dependency tree vulnerability #137
Description
The transitive dependency of rkyv has encountered a RUSTSEC Advisory, this doesn't seem to be something that consumers have any control over opting out of. It appears to be an optional dependency of the rust_decimal crate which means it could either be disabled by xee or feature-gated to allow consumers to enable it
cargo audit
Crate: rkyv
Version: 0.7.45
Title: Potential Undefined Behaviors in `Arc<T>`/`Rc<T>` impls of `from_value` on OOM
Date: 2026-01-05
ID: RUSTSEC-2026-0001
URL: https://rustsec.org/advisories/RUSTSEC-2026-0001
Solution: Upgrade to >=0.8.13
Dependency tree:
rkyv 0.7.45
└── rust_decimal 1.39.0
├── xee-xpath-lexer 0.1.3
│ └── xee-xpath-ast 0.1.3
│ ├── xee-xpath-macros 0.1.3
│ │ └── xee-interpreter 0.1.5
│ │ ├── xee-xpath-compiler 0.1.4
│ │ │ └── xee-xpath 0.1.4
│ │ ├── xee-xpath 0.1.4
│ │ └── xee-ir 0.1.4
│ │ ├── xee-xpath-compiler 0.1.4
│ │ └── xee-xpath 0.1.4
│ ├── xee-xpath-compiler 0.1.4
│ ├── xee-xpath 0.1.4
│ ├── xee-ir 0.1.4
│ └── xee-interpreter 0.1.5
├── xee-xpath-compiler 0.1.4
├── xee-xpath-ast 0.1.3
├── xee-xpath 0.1.4
├── xee-ir 0.1.4
└── xee-interpreter 0.1.5