search

tikv / grpc-rs

The gRPC library for Rust built on C Core library and futures
Apache License 2.0
1.81k stars 253 forks source link

Dependency `ansi_term` is Unmaintained #647

Open purew opened 6 months ago

purew commented 6 months ago

Describe the bug

Running cargo-deny flags grpcio since one of the dependencies are marked as unmaintained.

The output looks like

6 │ ansi_term 0.12.1 registry+https://github.com/rust-lang/crates.io-index
  │ ---------------------------------------------------------------------- unmaintained advisory detected
  │
  = ID: RUSTSEC-2021-0139
  = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0139
  = The maintainer has advised that this crate is deprecated and will not receive any maintenance.

    The crate does not seem to have much dependencies and may or may not be ok to use as-is.

    Last release seems to have been three years ago.

    ## Possible Alternative(s)

     The below list has not been vetted in any way and may or may not contain alternatives;

     - [ansiterm](https://crates.io/crates/ansiterm)
     - [anstyle](https://github.com/epage/anstyle)
     - [console](https://crates.io/crates/console)
     - [nu-ansi-term](https://crates.io/crates/nu-ansi-term)
     - [owo-colors](https://crates.io/crates/owo-colors)
     - [stylish](https://crates.io/crates/stylish)
     - [yansi](https://crates.io/crates/yansi)

    ## Dependency Specific Migration(s)

     - [structopt, clap2](https://github.com/clap-rs/clap/discussions/4172)
  = Announcement: https://github.com/ogham/rust-ansi-term/issues/72
  = Solution: No safe upgrade is available!
  = ansi_term v0.12.1
    └── clap v2.34.0
        └── bindgen v0.59.2
            └── (build) grpcio-sys v0.13.0+1.56.2-patched
                └── grpcio v0.13.0

in which you can see that grpcio-sys depends on bindgen 0.59.2 which depends on clap 2.34 which in turn depends on the offending ansi_term 0.12.

To Reproduce Run cargo-deny as described in https://github.com/EmbarkStudios/cargo-deny?tab=readme-ov-file#usage

Expected behavior There should be no vulnerabilities or advisories flagged in the grpcio codebase.

System information

Additional context Add any other context about the problem here.

BusyJay commented 6 months ago

Should be fixed by #648.