adler is archived

[jayvdb]

https://crates.io/crates/adler has a lot of dependents, including https://github.com/rust-lang/backtrace-rs via https://github.com/Frommi/miniz_oxide .

See https://github.com/Frommi/miniz_oxide/issues/148

https://github.com/jonas-schievink/adler was archived around 25 March 2024. Seems most of their repos were also archived.

https://github.com/jonas-schievink last commit was September 2023.

[fintelia]

24% of all crates on crates.io transitively depend on adler, but it has only 9 direct dependents. Approximately all indirect dependencies are via miniz_oxide. The adler32-simd crate uses alder as a dev dependency and the other 7 dependents have orders of magnitude fewer downloads.

[smoelius]

24% of all crates on crates.io transitively depend on adler

@fintelia How did you figure this out?

[dtolnay]

You can divide "Used in 35,426 crates" (https://lib.rs/crates/adler) by "150,348 Crates in stock" (https://crates.io).

To see the historical metric, cargo tally --relative --transitive adler

[smoelius]

Thanks, @dtolnay!

[tarcieri]

24% of all crates on crates.io transitively depend on adler, but it has only 9 direct dependents.

Given that, it would probably make sense to work directly with those 9 crates, perhaps opening an issue if there isn't one already and linking it here, rather than immediately publishing an advisory for this (or at least, wait until it's been fixed upstream so the advisory is actionable, and that action is to update Cargo.lock)

Otherwise, this is going to be a very noisy advisory with little actionable impact aside from those 9 crates, especially as we don't currently have ways of filtering out advisories for transitive dependencies.

[Skgland]

I think it is of note that of those 9 direct dependants

• simd-adler32, and pixelmosh have adler only as a dev-dependency
  • pixelmosh only has one dependant which has no dependants itself
• cargo-attributions, intelligit, emote-psb, zawk, nod, and rxsync have no dependants

this leaves only miniz_oxide with both adler as a normal dependency and with dependants.

[fintelia]

I think this will be an interesting test case of whether it always makes sense to issue unmaintained advisories: The adler crate implements a decades old checksum algorithm. It is only a couple hundred lines total, most of which are comments or tests. It has been is heavily tested and fuzzed, uses no unstable features, and contains no unsafe code.

[jayvdb]

Archived repos effectively cant receive bug reports. Even more so when the owner of the repo appears to have intentionally stopped all activity here, in which case it is preferable to respect their decision and avoid contacting the maintainer except in a critical circumstance.