Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency ansi_term is Unmaintained #647

Open
purew opened this issue Apr 29, 2024 · 1 comment
Open

Dependency ansi_term is Unmaintained #647

purew opened this issue Apr 29, 2024 · 1 comment

Comments

@purew
Copy link

purew commented Apr 29, 2024

Describe the bug

Running cargo-deny flags grpcio since one of the dependencies are marked as unmaintained.

The output looks like

6 │ ansi_term 0.12.1 registry+https://github.com/rust-lang/crates.io-index
  │ ---------------------------------------------------------------------- unmaintained advisory detected
  │
  = ID: RUSTSEC-2021-0139
  = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0139
  = The maintainer has advised that this crate is deprecated and will not receive any maintenance.

    The crate does not seem to have much dependencies and may or may not be ok to use as-is.

    Last release seems to have been three years ago.

    ## Possible Alternative(s)

     The below list has not been vetted in any way and may or may not contain alternatives;

     - [ansiterm](https://crates.io/crates/ansiterm)
     - [anstyle](https://github.com/epage/anstyle)
     - [console](https://crates.io/crates/console)
     - [nu-ansi-term](https://crates.io/crates/nu-ansi-term)
     - [owo-colors](https://crates.io/crates/owo-colors)
     - [stylish](https://crates.io/crates/stylish)
     - [yansi](https://crates.io/crates/yansi)

    ## Dependency Specific Migration(s)

     - [structopt, clap2](https://github.com/clap-rs/clap/discussions/4172)
  = Announcement: https://github.com/ogham/rust-ansi-term/issues/72
  = Solution: No safe upgrade is available!
  = ansi_term v0.12.1
    └── clap v2.34.0
        └── bindgen v0.59.2
            └── (build) grpcio-sys v0.13.0+1.56.2-patched
                └── grpcio v0.13.0

in which you can see that grpcio-sys depends on bindgen 0.59.2 which depends on clap 2.34 which in turn depends on the offending ansi_term 0.12.

To Reproduce
Run cargo-deny as described in https://github.com/EmbarkStudios/cargo-deny?tab=readme-ov-file#usage

Expected behavior
There should be no vulnerabilities or advisories flagged in the grpcio codebase.

System information

  • CPU architecture: x86-64
  • Distribution and kernel version: Archlinux 6.8.7-arch1-2
  • SELinux on?: Don't know
  • Any other system details we should know?:

Additional context
Add any other context about the problem here.
@BusyJay
Copy link
Member

BusyJay commented May 7, 2024

Should be fixed by #648.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@purew @BusyJay