Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Comply with RUSTSEC-2024-0320 #2999

Closed
wants to merge 2 commits into from
Closed

Comply with RUSTSEC-2024-0320 #2999

wants to merge 2 commits into from

Conversation

stanisloe
Copy link
Contributor

@stanisloe stanisloe commented Apr 3, 2024

Describe your changes

As discussed in linked issue yaml-rust is not maintened and poses a risk as future vulnerabilities or bugs in yaml-rust will not be addressed. Also it makes noise if you run cargo-audit. As advised in RUSTSEC-2024-0320 yaml-rust2 is a fully compliant YAML 1.2 implementation written in rust and works faster than its predecessor yaml-rust and fully compatible with it.
crates/app is the affected crate and it fetches yaml-rust from config crate.
I've udpated config crate to the latest version and fixed compilation errors and warnings.
The reason why I'm using commit version instead of release tag for config crate is that it's owner is looking for new maintainer and not releasing new tags until than. But yaml-rust2 issue was tested and merged to main branch from this pr so it should be safe to use.

Indicate on which release or other PRs this topic is based on

rust-cli/config-rs#553
#2993

Checklist before merging to draft

  • I have added a changelog
  • Git history is in acceptable state

@tzemanovic
Copy link
Member

rebased in #3305

@tzemanovic tzemanovic closed this May 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants