Open jayvdb opened 1 week ago
24% of all crates on crates.io transitively depend on adler
, but it has only 9 direct dependents. Approximately all indirect dependencies are via miniz_oxide
. The adler32-simd
crate uses alder
as a dev dependency and the other 7 dependents have orders of magnitude fewer downloads.
24% of all crates on crates.io transitively depend on
adler
@fintelia How did you figure this out?
You can divide "Used in 35,426 crates" (https://lib.rs/crates/adler) by "150,348 Crates in stock" (https://crates.io).
To see the historical metric, cargo tally --relative --transitive adler
Thanks, @dtolnay!
24% of all crates on crates.io transitively depend on adler, but it has only 9 direct dependents.
Given that, it would probably make sense to work directly with those 9 crates, perhaps opening an issue if there isn't one already and linking it here, rather than immediately publishing an advisory for this (or at least, wait until it's been fixed upstream so the advisory is actionable, and that action is to update Cargo.lock)
Otherwise, this is going to be a very noisy advisory with little actionable impact aside from those 9 crates, especially as we don't currently have ways of filtering out advisories for transitive dependencies.
I think it is of note that of those 9 direct dependants
simd-adler32
, and pixelmosh
have adler
only as a dev-dependency
pixelmosh
only has one dependant which has no dependants itselfcargo-attributions
, intelligit
, emote-psb
, zawk
, nod
, and rxsync
have no dependantsthis leaves only miniz_oxide
with both adler
as a normal dependency and with dependants.
I think this will be an interesting test case of whether it always makes sense to issue unmaintained advisories: The adler
crate implements a decades old checksum algorithm. It is only a couple hundred lines total, most of which are comments or tests. It has been is heavily tested and fuzzed, uses no unstable features, and contains no unsafe code.
Archived repos effectively cant receive bug reports. Even more so when the owner of the repo appears to have intentionally stopped all activity here, in which case it is preferable to respect their decision and avoid contacting the maintainer except in a critical circumstance.
https://crates.io/crates/adler has a lot of dependents, including https://github.com/rust-lang/backtrace-rs via https://github.com/Frommi/miniz_oxide .
See https://github.com/Frommi/miniz_oxide/issues/148
https://github.com/jonas-schievink/adler was archived around 25 March 2024. Seems most of their repos were also archived.
https://github.com/jonas-schievink last commit was September 2023.