in a recent supply chain security audit of one my projects, the ANES crate triggered a false positive alert, which I reported, but upon further investigation, it turned out that none of my crated uses ANES so eventually I found out that the alert was triggered by the ANES dependency in Criterion (which I use extensively).
Since ANES isn't maintained for 4 years, the question is whether it's worth considering replacing ANES with a more maintained alternative?
For clarification, ANES does not pose a security problem, it's just not maintained and somehow triggers those false-positive alerts. Meaning, nothing bad happens if the issue gets ignored. However, if the team needs help in assessing the feasibility of replacing ANES, I would be willing to contribute some work.
Hi,
in a recent supply chain security audit of one my projects, the ANES crate triggered a false positive alert, which I reported, but upon further investigation, it turned out that none of my crated uses ANES so eventually I found out that the alert was triggered by the ANES dependency in Criterion (which I use extensively).
Since ANES isn't maintained for 4 years, the question is whether it's worth considering replacing ANES with a more maintained alternative?
Alternative crates would be.
crossterm, termion,
For clarification, ANES does not pose a security problem, it's just not maintained and somehow triggers those false-positive alerts. Meaning, nothing bad happens if the issue gets ignored. However, if the team needs help in assessing the feasibility of replacing ANES, I would be willing to contribute some work.
Thank you Marvin Hansen