Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cargo Audit Yields Warnings #4724

Open
Pi-Cla opened this issue Mar 23, 2024 · 3 comments
Open

Cargo Audit Yields Warnings #4724

Pi-Cla opened this issue Mar 23, 2024 · 3 comments

Comments

@Pi-Cla
Copy link

Pi-Cla commented Mar 23, 2024

See icu4x-cargo-audit.txt
for the full results.

In summary:
There are transitive dependencies on atty (which is unmaintained and has a RUSTSEC entry) and atomic-polyfill which has been yanked and deprecated by the author

To fix the atomic-polyfill issue we need to update the serde-json-core dependency to 0.5.1 and postcard to 1.0.8.

To fix the atty issue we need to update criterion to 0.5.1 and clap (which is depended on by diplomat-tool) to version 4. Note the migration guide from clap 3 to 4
@Pi-Cla
Copy link
Author

Pi-Cla commented Mar 23, 2024

See rust-diplomat/diplomat#464 for progress on the clap migration

@robertbastian
Copy link
Member

We actually don't use Diplomat's CLI, we should use a Cargo feature to make Diplomat's clap dependency optional.

@robertbastian
Copy link
Member

We might want to run cargo audit as part of our daily main CI (it shouldn't be on PRs because we don't want the passage of time to break PR CI).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robertbastian @Pi-Cla