Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

atty is unmaintaned and creates an advisory warning #74

Open
kgraefe opened this issue Jan 25, 2023 · 2 comments · Fixed by DioxusLabs/dioxus#1049
Open

atty is unmaintaned and creates an advisory warning #74

kgraefe opened this issue Jan 25, 2023 · 2 comments · Fixed by DioxusLabs/dioxus#1049

Comments

@kgraefe
Copy link

kgraefe commented Jan 25, 2023
edited
Loading

See https://rustsec.org/advisories/RUSTSEC-2021-0145.html for the advisory. It has not been patched even though an already-reviewed PR is available for a long time.

several projects e.g. clap and env_logger switched to is_terminal
@Razican Razican mentioned this issue Mar 17, 2023
Closed
bors bot pushed a commit to boa-dev/boa that referenced this issue Mar 17, 2023
@Razican
Updated dependencies, removes remove_dir_all, which is vulnerable (#…
d7d5c5e 
…2685)

After this, we are still waiting for `indexmap` & `dashmap` to provide the new `hashbrown` to reduce duplicate dependencies, and for `criterion` to remove `clap` and release a new version. We're also waiting for a new version of `icu_datagen` that bumps the `zip` dependency to avoid a potential vulnerability. Ideally, they would also bump the `simple_logger` dependency, which is pretty outdated. In any case, `simple_logger` still uses an unmaintained `atty` dependency.

Relevant issues:
 - xacrimon/dashmap#250
 - unicode-org/icu4x#3150
 - bheisler/criterion.rs#599
 - borntyping/rust-simple_logger#74
@azriel91 azriel91 mentioned this issue May 29, 2023
Merged
@ChrisCA ChrisCA mentioned this issue Jun 2, 2023
Merged
@ChrisCA ChrisCA mentioned this issue Jul 3, 2023
Closed
@ChrisCA
Copy link
Contributor

ChrisCA commented Jul 5, 2023

I think that this is solved now and can be closed.
Colored has removed the dependency on atty.

@V0ldek
Copy link

V0ldek commented Aug 1, 2023

Correct, running cargo update -p colored to update the dep fixes the advisory.

However, I feel like this crate's dep on colored should be bumped to minimum of 2.0.4 to enforce this update on upstreams.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adjust chrono features to address security advisory. azriel91/dioxus
3 participants
@kgraefe @ChrisCA @V0ldek