Open sydhds opened 1 year ago
Report for each issue :
Crate: ansi_term
Version: 0.12.1
Warning: unmaintained
Title: ansi_term is Unmaintained
Date: 2021-08-18
ID: RUSTSEC-2021-0139
URL: https://rustsec.org/advisories/RUSTSEC-2021-0139
Dependency tree:
ansi_term 0.12.1
└── clap 2.34.0
└── structopt 0.3.26
├── massa-node 0.26.1
└── massa-client 0.26.1
By looking in the readme of structopt they say that everything is in clap now and so we should make the transition
Crate: mach
Version: 0.3.2
Warning: unmaintained
Title: mach is unmaintained
Date: 2020-07-14
ID: RUSTSEC-2020-0168
URL: https://rustsec.org/advisories/RUSTSEC-2020-0168
Dependency tree:
mach 0.3.2
├── wasmer-vm 4.2.0
│ ├── wasmer-middlewares 4.2.0
│ │ └── massa-sc-runtime 0.10.0
Rust sec propose mach2
instead so I will open an issue in wasmer (EDIT: https://github.com/wasmerio/wasmer/issues/4222)
Crate: atty
Version: 0.2.14
Warning: unsound
Title: Potential unaligned read
Date: 2021-07-04
ID: RUSTSEC-2021-0145
URL: https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
├── massa-client 0.26.1
└── clap 2.34.0
└── structopt 0.3.26
├── massa-node 0.26.1
└── massa-client 0.26.1
Should be fixed by using clap 4 otherwise rustsec propose other alternative crates
Crate: borsh
Version: 0.10.3
Warning: unsound
Title: Parsing borsh messages with ZST which are not-copy/clone is unsound
Date: 2023-04-12
ID: RUSTSEC-2023-0033
URL: https://rustsec.org/advisories/RUSTSEC-2023-0033
Dependency tree:
borsh 0.10.3
└── rust_decimal 1.32.0
Blocked : https://github.com/paupino/rust-decimal/issues/595#issuecomment-1671984639
Would be nice to include this in the CI as well :)
Would be nice to include this in the CI as well :)
I'm not a big fan of this as some warnings dependents on other project like wasmer and so it will block our CI for something that we don't control
Would be nice to include this in the CI as well :)
I'm not a big fan of this as some warnings dependents on other project like wasmer and so it will block our CI for something that we don't control
Would it be possible to add it as warnings?
Note: the only remaining warning with cargo audit is the one with mach (dependency of wasmer), issue is here: https://github.com/wasmerio/wasmer/issues/4222
Running cargo-audit 0.18.1 on massa code testnet 26 reports a few issue that might be interested to fix...
setup
cargo install cargo-audit && cargo audit