stacks-network / clarity-wasm

`clar2wasm` is a compiler for generating WebAssembly from Clarity.
GNU General Public License v3.0
14 stars 15 forks source link

Should we use the audit workflow in CI? #25

Open github-actions[bot] opened 1 year ago

github-actions[bot] commented 1 year ago

Potential unaligned read

Details
Status unsound
Package atty
Version 0.2.14
URL https://github.com/softprops/atty/issues/50
Date 2021-07-04

On windows, atty dereferences a potentially unaligned pointer.

In practice however, the pointer won't be unaligned unless a custom global allocator is used.

In particular, the System allocator on windows uses HeapAlloc, which guarantees a large enough alignment.

atty is Unmaintained

A Pull Request with a fix has been provided over a year ago but the maintainer seems to be unreachable.

Last release of atty was almost 3 years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

See advisory page for additional details.

wileyj commented 1 year ago

@Acaccia https://github.com/stacks-network/clarity-wasm/blob/main/.github/workflows/audit-on-new-deps.yaml this is a great workflow to have enabled, but as you're seeing can be incredibly chatty, especially as the project/repo grows. the same goes with clippy workflows

Acaccia commented 1 year ago

@wileyj I see that :/ I will disable both I guess.

wileyj commented 1 year ago

i wouldn't go that far just yet - but maybe have a plan for how to update these deps (combined with an ignore list)? i'm a fan of the idea here, and i'd like to do similar for the blockchain repo - but (same with clippy) i found it can be very chatty and you don't always want to update a dependency if you're not affected by a cve.

Acaccia commented 1 year ago

I don't have time for dealing with this right now, but yes, I will open an issue to see what we can do about it later. Thank you for the advice @wileyj :)

obycode commented 1 year ago

This dependency comes from clarity-repl. I'll rename the issue and leave it open for the discussion.