search

sigstore / sigstore-rs

An experimental Rust crate for sigstore
https://sigstore.github.io/sigstore-rs/sigstore/
Apache License 2.0
171 stars 53 forks source link

RUSTSEC-2024-0370: proc-macro-error is unmaintained #388

Open github-actions[bot] opened 2 months ago

github-actions[bot] commented 2 months ago

proc-macro-error is unmaintained

Details
Status unmaintained
Package proc-macro-error
Version 1.0.4
URL https://gitlab.com/CreepySkeleton/proc-macro-error/-/issues/20
Date 2024-09-01

proc-macro-error's maintainer seems to be unreachable, with no commits for 2 years, no releases pushed for 4 years, and no activity on the GitLab repo or response to email.

proc-macro-error also depends on syn 1.x, which may be bringing duplicate dependencies into dependant build trees.

Possible Alternative(s)

See advisory page for additional details.

tannaurus commented 2 months ago

This appears to have silenced in main https://github.com/sigstore/sigstore-rs/pull/387/files

This that a temporary solution, do we plan on monitoring this further?

flavio commented 2 months ago

I've reported the issue to oci-spec, which is including this dependency. There's hope this is going to be addressed soon. See https://github.com/containers/oci-spec-rs/issues/209