Manishearth
commented
2 months ago @tarcieri potential CI that could be added: something that at least warns rustsec maintainers when there are no patched versions available
Closed Manishearth closed 2 months ago
Manishearth
commented
2 months ago @tarcieri potential CI that could be added: something that at least warns rustsec maintainers when there are no patched versions available
Manishearth
commented
2 months ago Thanks for the quick merge, @Shnatsel !!
Shnatsel
commented
2 months ago Thanks for the fix!
Yes, we've looked into doing this on CI, but that would require building out an infrastructure for warnings. Sometimes we publish an advisory a few hours before the patched version goes up on crates.io, so we need something that is restricted to the PR, surfaced on Github nicely and is easy to ignore if need be. We don't really have the manpower for that right now, but patches would be welcome.
Manishearth
commented
2 months ago I was envisioning a non blocking CI job that fails when files touched in the current PR don't have available versions. Not too complex.
(don't have time now but may take a stab at this at some point)
We accidentally proposed the wrong version here in #1990
zerovec 0.10.4 and zerovec-derive 0.10.3 are patched.