search

NLnetLabs / krill

RPKI Certificate Authority and Publication Server written in Rust
https://nlnetlabs.nl/projects/routing/krill/
Mozilla Public License 2.0
294 stars 42 forks source link

RUSTSEC-2021-0139: ansi_term is Unmaintained #881

Open github-actions[bot] opened 2 years ago

github-actions[bot] commented 2 years ago

ansi_term is Unmaintained

Details
Status unmaintained
Package ansi_term
Version 0.12.1
URL https://github.com/ogham/rust-ansi-term/issues/72
Date 2021-08-18

The maintainer has adviced this crate is deprecated and will not receive any maintenance.

The crate does not seem to have much dependencies and may or may not be ok to use as-is.

Last release seems to have been three years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

See advisory page for additional details.

timbru commented 2 years ago

@ximon18 what do you think?

I don't think this is an immediate concern. We get this as a transitive dependency through clap and oso.

I can look into upgrading clap at some point. This should not be too hard.

But I am not sure how involved it would be to update oso and whether the latest would still include ansi_term as that is supposedly an optional (transitive) dependency in tracing-subscriber. By the looks of it we really do get a lot of dependencies through oso.. I understand that that libs solves a non-trivial problem, but perhaps we should keep in mind whether we really need all this.

ximon18 commented 2 years ago 
ansi_term v0.12.1
├── clap v2.34.0
│   └── krill v0.10.0-rc3-dev (/home/ximon/src/krill)
└── tracing-subscriber v0.2.25
    └── oso v0.12.4
        └── krill v0.10.0-rc3-dev (/home/ximon/src/krill)

We used oso because we didn't know what use cases we wanted to support and hard-coding the business rules into the application would be much more painful and invasive to work with. But of course we can revisit that decision. The version of oso we used is now quite old I think, it might be worth revisiting it, but there may well be incompatibilities with newer versions that would need to be resolved. Let me see if we need that tracing-subscriber dependency or can disable it being pulled in.

ximon18 commented 2 years ago

So, oso version 0.22.0 removes the dependency on ansi_term which comes in by default features from tracing-subsciber, oso removes it by disabling default features when depending on tracing-subscriber. So we could look at upgrading from oso 0.12.4 to at least oso 0.22.0 to remove the dependency on ansi_term via oso.

ximon18 commented 2 years ago

Upgrading to newer Oso appears to require some effort, a trivial upgrade attempt fails with errors about Actor being a reserved name and about "unhandled partial" in roles.rs at this line:

role_allow("admin", _actor: Permission);