pinkforest
commented
2 years ago Maintenance status is a vulnerability as others and we are not complicating that further.
This vulnerability typically represents increased malicious takeover chance or other supply chain related security vulnerabilities.
Vulnerability - the quality or state of being exposed to the possibility of being attacked or harmed
Rust ecosystem favors large amounts of small dependencies and often these are from solo maintainers who aren't necessarily established or care too much about to maintain some little piece of software.
Where as the legacy security databases were spun up during the dark ages of "Write it all yourself" and didn't have much package management to go with to supplement / enrich their software with that served as a tiny cog in a big wheel.
Whether the vulnerability is "acceptable" to someone as such is another opinion but not opinion to dictate to the whole userbase based on one's or few's acceptable risk profile(s)
Nonetheless otherwise I agree that is_vulnerable is perhaps just suboptimal API from style wise and nothing more
Changing public APIs for stylistic reasons isn't what we are probably going to be doing - if there is / are another reason(s) then need to frame it as such and re-open after on another issue but stylistic reasons don't justify changing this alone I suspect.
The will be some clarification re: terminology in FAQ: https://github.com/rustsec/rustsec/issues/674
I suspect
Versions.is_vulnerableshould be called something more neutral, likeis_affectedoris_applicable, because it can be onAdvisorythat is about maintenance, and that's not a vulnerability.