How do you deal with vulnerabilities in crates which are way upstream?


GitHub has a nice feature(dependabot) to notify about vulnerabilities in crates which you use. I usually like to be proactive and take care of that.

However, I stumbled on the issues that sometimes the vulnerability is way-way upstream.

For example, a critical vulnerability in traitobject exist (NVD - CVE-2020-35881). We don't use it directly, but rather we got it via following dependency chain:


What do you do in such case? Do you fork it/fix it and and do [patch] to override dependency? Per my understanding it should work.

However, I see only 3 (public) forks of traitobject for 2.5M of logrs downloads which leads me to question whether other people do it like that.


If the original maintainer doesn't do anything about it, then you'll need to fork, and then bug users of the vulnerable crate to switch to the fork (or fork recursively).

[patch] may be okay as a temporary solution locally, but for crates-io crates you'll need actual dependencies updated.