reports cargo vulnerabilities incorrectly using the rust version

I was looking into cargo-generate and noticed that its dependencies were marked as "insecure" by its github badge, here look: dependency status

Curious, I followed the badge and sure enough cargo has a security vulnerability. Surprised, I skipped to the bottom to read more and was reassured to see that it is quite old and fixed:

If you're using Rust 1.26.0, released on 2018-05-10, or later you're not affected.

In terms of Cargo versions, this affects Cargo up through Cargo 0.26.0. All future versions of Cargo are unaffected.

Since cargo-generate requires ^0.54.0 which is definitely higher than 0.26.0, it seems incorrect to mark cargo-generate as having an insecure dependency. So what's going on?

I found a github issue for it on

What's happening is is using the rust version 1.26.0 and then comparing that with the dependency version: 0.54.0 < 1.26.0 therefore vulnerable! Oh dear.

It seems a little unclear whether this is' fault, or rust's fault. The cargo version and rust version are closely linked (for good reason), but when other crates are dependent on cargo, then the cargo version is more important than the rust version? I think that does the obvious thing, it checks against the "patched version" of the security report, which seems to be the rust version.

This has morphed from a "what's going on?" question to a PSA as I looked at things more closely, but hopefully this is still interesting. The issue is still open, so maybe someone here will want to input.

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.