Open Pi-Cla opened 3 months ago
See https://github.com/rust-diplomat/diplomat/pull/464 for progress on the clap migration
We actually don't use Diplomat's CLI, we should use a Cargo feature to make Diplomat's clap
dependency optional.
We might want to run cargo audit as part of our daily main CI (it shouldn't be on PRs because we don't want the passage of time to break PR CI).
See icu4x-cargo-audit.txt for the full results.
In summary: There are transitive dependencies on atty (which is unmaintained and has a RUSTSEC entry) and atomic-polyfill which has been yanked and deprecated by the author
To fix the atomic-polyfill issue we need to update the serde-json-core dependency to 0.5.1 and postcard to 1.0.8.
To fix the atty issue we need to update criterion to 0.5.1 and clap (which is depended on by diplomat-tool) to version 4. Note the migration guide from clap 3 to 4