Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cargo-deny issue due to transitive dependency safemem, which is no longer maintained #521

Open
nazmulidris opened this issue Feb 28, 2024 · 1 comment

Comments

@nazmulidris
Copy link

The safemem crate is no longer maintained: https://rustsec.org/advisories/RUSTSEC-2023-0081.html

Here's the transitive dependency that syntect has on this crate, via plist, via line-wrap.

line-wrap has made the necessary changes and published v0.2.0:

However, changes have not currently been made to plist, though this issue is open:
ebarnard/rust-plist#134

@nazmulidris nazmulidris changed the title cargo-deny issue due to transitive dependency safemem is no longer maintained cargo-deny issue due to transitive dependency safemem, which is no longer maintained Feb 28, 2024
flavio added a commit to flavio/kwctl that referenced this issue Mar 1, 2024
Ignoring `RUSTSEC-2023-0081`, which is about `safemem` being unmaintained.
This is a transitive dependency of syntect. This bug is tracked upstream inside of
trishume/syntect#521

Signed-off-by: Flavio Castelli <[email protected]>
@nazmulidris
Copy link
Author

nazmulidris commented Apr 15, 2024

plist has updated it's dependencies, and moved away from using safemem.
ebarnard/rust-plist#134

Can Cargo.toml be updated to use this latest version?

nazmulidris added a commit to r3bl-org/r3bl-open-core that referenced this issue Apr 15, 2024
…all ambiguous names to be explicit

This is an attempt to isolate the use of syntect to just 1 crate: r3bl_tui.
It has been removed from the core crate. However, it is not possible to remove
syntect from the lolcat / color_wheel modules as they are intrinsically tied
together. Basically, they need to be able to render output, and for that they
need to be in the r3bl_tui crate which has a dependency on syntect and this
can't be removed.

safemem is no longer maintained, you can see the following output from running
cargo deny check advisories.

180 │ safemem 0.3.3 registry+https://github.com/rust-lang/crates.io-index
    │ ------------------------------------------------------------------- unmaintained advisory detected
    │
    = ID: RUSTSEC-2023-0081
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0081
    = The latest crates.io release was in 2019. The repository has been archived by the author.
    = Announcement: https://github.com/abonander/safemem
    = Solution: No safe upgrade is available!
    = safemem v0.3.3
      └── line-wrap v0.1.1
          └── plist v1.6.0
              └── syntect v5.1.0
                  └── r3bl_tui v0.5.2
                      └── r3bl-cmdr v0.0.11

More info:
- #314
- ebarnard/rust-plist#134
- trishume/syntect#521

This `safemem` issue is resolved since the dependencies of syntect,
`line-wrap` and `plist` are both updated. By pinning the version of
`plist` to `1.6.1` (`cargo update -p plist --precise 1.6.1`) and
checking in `Cargo.toml`, this resolves the `safemem` issue.
nazmulidris added a commit to r3bl-org/r3bl-open-core that referenced this issue Apr 15, 2024
…all ambiguous names to be explicit

This is an attempt to isolate the use of syntect to just 1 crate: r3bl_tui.
It has been removed from the core crate. However, it is not possible to remove
syntect from the lolcat / color_wheel modules as they are intrinsically tied
together. Basically, they need to be able to render output, and for that they
need to be in the r3bl_tui crate which has a dependency on syntect and this
can't be removed.

safemem is no longer maintained, you can see the following output from running
cargo deny check advisories.

180 │ safemem 0.3.3 registry+https://github.com/rust-lang/crates.io-index
    │ ------------------------------------------------------------------- unmaintained advisory detected
    │
    = ID: RUSTSEC-2023-0081
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0081
    = The latest crates.io release was in 2019. The repository has been archived by the author.
    = Announcement: https://github.com/abonander/safemem
    = Solution: No safe upgrade is available!
    = safemem v0.3.3
      └── line-wrap v0.1.1
          └── plist v1.6.0
              └── syntect v5.1.0
                  └── r3bl_tui v0.5.2
                      └── r3bl-cmdr v0.0.11

More info:
- #314
- ebarnard/rust-plist#134
- trishume/syntect#521

This `safemem` issue is resolved since the dependencies of syntect,
`line-wrap` and `plist` are both updated. By pinning the version of
`plist` to `1.6.1` (`cargo update -p plist --precise 1.6.1`) and
checking in `Cargo.toml`, this resolves the `safemem` issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant