Open github-actions[bot] opened 2 years ago
@ximon18 what do you think?
I don't think this is an immediate concern. We get this as a transitive dependency through clap
and oso
.
I can look into upgrading clap
at some point. This should not be too hard.
But I am not sure how involved it would be to update oso
and whether the latest would still include ansi_term
as that is supposedly an optional (transitive) dependency in tracing-subscriber
. By the looks of it we really do get a lot of dependencies through oso
.. I understand that that libs solves a non-trivial problem, but perhaps we should keep in mind whether we really need all this.
ansi_term v0.12.1
├── clap v2.34.0
│ └── krill v0.10.0-rc3-dev (/home/ximon/src/krill)
└── tracing-subscriber v0.2.25
└── oso v0.12.4
└── krill v0.10.0-rc3-dev (/home/ximon/src/krill)
We used oso
because we didn't know what use cases we wanted to support and hard-coding the business rules into the application would be much more painful and invasive to work with. But of course we can revisit that decision. The version of oso
we used is now quite old I think, it might be worth revisiting it, but there may well be incompatibilities with newer versions that would need to be resolved. Let me see if we need that tracing-subscriber dependency or can disable it being pulled in.
So, oso version 0.22.0 removes the dependency on ansi_term which comes in by default features from tracing-subsciber, oso removes it by disabling default features when depending on tracing-subscriber. So we could look at upgrading from oso 0.12.4 to at least oso 0.22.0 to remove the dependency on ansi_term via oso.
Upgrading to newer Oso appears to require some effort, a trivial upgrade attempt fails with errors about Actor
being a reserved name and about "unhandled partial" in roles.rs
at this line:
role_allow("admin", _actor: Permission);
ansi_term
0.12.1
The maintainer has adviced this crate is deprecated and will not receive any maintenance.
The crate does not seem to have much dependencies and may or may not be ok to use as-is.
Last release seems to have been three years ago.
Possible Alternative(s)
The below list has not been vetted in any way and may or may not contain alternatives;
See advisory page for additional details.