cargo-audit reports that `yaml-rust` is unmaintained

mehcode / config-rs

⚙️ Layered configuration system for Rust applications (with strong support for 12-factor applications).

Apache License 2.0

2.43k stars 206 forks source link

cargo-audit reports that `yaml-rust` is unmaintained #553

Closed stefano-garzarella closed 3 months ago

stefano-garzarella commented 3 months ago

We are using this crate in https://github.com/rust-vmm/vhost-device/tree/main/vhost-device-vsock We run cargo-audit in our CI which now is reporting that a dependency of this crate is unmaintained:

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 615 security advisories (from /home/stefano/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (177 crate dependencies)
Crate:     yaml-rust
Version:   0.4.5
Warning:   unmaintained
Title:     yaml-rust is unmaintained.
Date:      2024-03-20
ID:        RUSTSEC-2024-0320
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0320
Dependency tree:
yaml-rust 0.4.5
└── config 0.14.0
    └── vhost-device-vsock 0.1.0

warning: 1 allowed warning found

w3irdrobot commented 3 months ago

more information here: https://github.com/rustsec/advisory-db/issues/1921

polarathene commented 3 months ago

I have a PR open to switch to a different crate: https://github.com/mehcode/config-rs/pull/474

If anyone wants to pick up my work there that's appreciated, otherwise I plan to get my PRs for this project when I can spare the time. Presently I'm hoping for that to be in April/May but I keep getting tied up elsewhere 😩

adamwalz commented 3 months ago

serde-yaml used in https://github.com/mehcode/config-rs/pull/474 is also unmaintained 😓

polarathene commented 3 months ago

serde-yaml used in #474 is also unmaintained 😓

Oh I see it was archived with a final release just 2 days ago.

Perhaps it could be moved to the same rust org that config-rs is being relocated to for future maintenance? 🤷‍♂️

0rzech commented 3 months ago

RUSTSEC-2024-0320 suggests another crate:

Consider switching to the actively maintained yaml-rust2 fork of the original project:

yaml-rust2

yaml-rust2 @ crates.io

Yaml-rust2's author is also active in https://github.com/rustsec/advisory-db/issues/1921 issue linked in https://github.com/mehcode/config-rs/issues/553#issuecomment-2020516550 .

stefano-garzarella commented 3 months ago

@0rzech thanks for the quick fix! @matthiasbeyer is there a release planned soon with this fix?

Thanks, Stefano

matthiasbeyer commented 3 months ago

No, see #549 .