Should we use the audit workflow in CI?

[github-actions[bot]]

Potential unaligned read

Details
Status	unsound
Package	atty
Version	0.2.14
URL	https://github.com/softprops/atty/issues/50
Date	2021-07-04

On windows, atty dereferences a potentially unaligned pointer.

In practice however, the pointer won't be unaligned unless a custom global allocator is used.

In particular, the System allocator on windows uses HeapAlloc, which guarantees a large enough alignment.

atty is Unmaintained

A Pull Request with a fix has been provided over a year ago but the maintainer seems to be unreachable.

Last release of atty was almost 3 years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

• std::io::IsTerminal - Stable since Rust 1.70.0
• is-terminal - Standalone crate supporting Rust older than 1.70.0

See advisory page for additional details.

[wileyj]

@Acaccia https://github.com/stacks-network/clarity-wasm/blob/main/.github/workflows/audit-on-new-deps.yaml this is a great workflow to have enabled, but as you're seeing can be incredibly chatty, especially as the project/repo grows. the same goes with clippy workflows

[Acaccia]

@wileyj I see that :/ I will disable both I guess.

[wileyj]

i wouldn't go that far just yet - but maybe have a plan for how to update these deps (combined with an ignore list)? i'm a fan of the idea here, and i'd like to do similar for the blockchain repo - but (same with clippy) i found it can be very chatty and you don't always want to update a dependency if you're not affected by a cve.

[Acaccia]

I don't have time for dealing with this right now, but yes, I will open an issue to see what we can do about it later. Thank you for the advice @wileyj :)

[obycode]

This dependency comes from clarity-repl. I'll rename the issue and leave it open for the discussion.