RUSTSEC-2020-0095: difference is unmaintained

[vincentdephily]

summary

Predicates-rs depends on an unmaintained crate and triggers audit warnings. Not a show-stopper, but predicates-rs is depended on transitively by a lot of crates. There seems to be a few alternate diffing crates, but I haven't looked into them.

As an aside, many rust projects use github actions to run regular cargo audit, see https://github.com/actions-rs/audit-check

reproduce

I tried this code: cargo audit

I expected to see this happen: No report

Instead this happened:

    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 263 security advisories (from /home/work/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (67 crate dependencies)
Crate:         difference
Version:       2.0.0
Warning:       unmaintained
Title:         difference is unmaintained
Date:          2020-12-20
ID:            RUSTSEC-2020-0095
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0095
Dependency tree:
difference 2.0.0
└── predicates 1.0.7
    └── assert_cmd 1.0.3
        └── (redacted)

warning: 1 allowed warning found

Meta

predicates-rs version: 1.0.7

[vincentdephily]

I had a quick look at the alternative crates listed in the advisory. It seems that none have an API that easily matches the one exported by predicates-rs (which AFAIU allows 1) specifying an acceptable distance, 2) a split character, and 3) returns a same/added/deleted enum vec):

• dissimilar has a very simple API which fits 3). We could compute 1) from it, although the number won't match what users may have set.
• similar is much more complete, with selectable algorithms and other features, but is IMHO overkill for our unittesting usecase. It computes an edit distance between 0 and 1.
• treediff works on nested data structures, which could be very interesting (think diffing json), but obviously has a very different API (requiring us to write a Delegate to receive the changes, OTOH gives us more control over the external API)
• diffus has a simple-ish API, doc is only in the readme which is a bit off-putting, but seems to handle diffing arbitrary types (not sure about nested or how it works on bare &str).

Bottom line: There's no drop-in replacement, we'll need to change our API, at least dropping support for split() and noting that the meaning of distance has changed. One backward-compatible option is to just stub split(). Another is to provide multiple diff backends, and phase out the unmaintained difference one.

I'm going to PoC the latter, using dissimilar to start with.

[vincentdephily]

Woops, this bug is a duplicate of #94 not sure why I didn't notice earlier, closing this one.