`lexical` is a popular crate with a lot of UB

[Shnatsel]

https://github.com/Alexhuszagh/rust-lexical/issues lists a large amount of soundness issues, and the crate has not been updated in over a year. It has 15,000 daily downloads. We should file an advisory for it.

[Nugine]

Is there any alternative?

[Shnatsel]

For floats: https://crates.io/crates/fast-float external crates no longer needed, a good algorithm was merged into libcore

For integers:
https://crates.io/crates/atoi
https://crates.io/crates/btoi
They are not as fast, but at least they let you skip the UTF-8 check.

Note that I have not reviewed these crates for soundness.

There's also atoi_simd but I've tried fuzzing it and the fuzzer has discovered straight-up buffer overreads in under a minute, so it's even more broken than lexical. I'll file issues upstream about it shortly. Saethlin beat me to it: RoDmitry/atoi_simd#1

[Shnatsel]

And there's also https://crates.io/crates/minimal-lexical but that also needs to be carefully checked for soundness

[saethlin]

fast-float is also not in the best shape, it has a soundness issue. A fix was merged 2 years ago and never released.
aldanor/fast-float-rust#28

But I'm pretty sure I've seen the author around, so they can probably be encouraged to cut a new release.

[dtolnay]

Not necessarily broadly applicable as an alternative, but serde_json contains a vendored fork of minimal-lexical from which I stripped the unsafe code. Someone should feel free to extract this to a new crate if it's an easier starting point than current minimal-lexical. https://github.com/serde-rs/json/tree/v1.0.105/src/lexical