RUSTSEC-2024-0320: yaml-rust is unmaintained.

orhun / rustypaste

A minimal file upload/pastebin service.

https://blog.orhun.dev/blazingly-fast-file-sharing

MIT License

726 stars 46 forks source link

RUSTSEC-2024-0320: yaml-rust is unmaintained. #276

Open github-actions[bot] opened 2 months ago

github-actions[bot] commented 2 months ago

yaml-rust is unmaintained.

Details
Status	unmaintained
Package	`yaml-rust`
Version	`0.4.5`
URL	https://github.com/rustsec/advisory-db/issues/1921
Date	2024-03-20

The maintainer seems unreachable.

Many issues and pull requests have been submitted over the years without any response.

Alternatives

Consider switching to the actively maintained yaml-rust2 fork of the original project:

See advisory page for additional details.

orhun commented 2 months ago

Looks like we need a new release of config dependency for resolving this.

tessus commented 1 month ago

This will be interesting, especially since config-rs is unmaintained as well.

orhun commented 1 month ago

everything is falling apart 🥲

tessus commented 1 month ago

The config crate is used extensively in the rust ecosystem, thus I believe a new maintainer will be found sooner or later.

But yes, I never liked these dependencies. In C you had a few include files and sometimes 3rd party libs, but that was it. Every single rust project has at least 10 dependencies. This was always somethig that made me slightly nervous.