Bump env_logger dep to avoid cursed atty version

basvanwesting / genetic-algorithm

A genetic algorithm implementation for Rust

Other

19 stars 0 forks source link

Bump env_logger dep to avoid cursed atty version #2

Closed mmastrac closed 3 months ago

mmastrac commented 3 months ago

The current version of env_logger is pointing at a version of atty that's vulnerable to https://rustsec.org/advisories/RUSTSEC-2021-0145.

This risk is pretty low and it's unlikely to trigger any issues, but it shows up on dependabot alerts. :/

basvanwesting commented 3 months ago

The broader issue is that atty is unmaintained. Version 0.11.x of env_logger solves this, but it requires Rust 1.71. I'll update to Rust 1.71 and then update env_logger.

basvanwesting commented 3 months ago

Only a dev-dependency on atty left though criterion 0.3. I'll have to update Rust to 1.74 in order to upgrade that, shall I just jump to the latest Rust and update all dependencies? @mmastrac

mmastrac commented 3 months ago

Totally. Bumping everything works.

basvanwesting commented 3 months ago

Great, I'll do this in the coming days. I'm travelling and couldn't really work the past days.

basvanwesting commented 3 months ago

I've released v0.7.1 which sets the MSRV to 1.71.1 and solves RUSTSEC-2021-0145