logo

Database

Non-upgradable dependencies In pqcrypto-sphincsplus

Description

pqcrypto-sphincsplus is unmaintained: upstream PQClean project being archived This crate provides Rust bindings to SPHINCS+/SLH-DSA (FIPS 205) via C implementations from PQClean. The PQClean project is being archived in or after July 2026 (see PQClean/PQClean#604), after which no further security patches or bug fixes will be applied to the upstream implementations.

As a result, this crate will no longer receive updates. Users should migrate to the slh-dsa crate, which provides a pure-Rust implementation of SLH-DSA (FIPS 205).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. OSV-RUSTSEC-2026-01602. GCVE-RUSTSEC-2026-01603. rustsec.org

References

1. https://github.com/rustpq/pqcrypto/issues/97

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.