search

unicode-org / icu4x

Solving i18n for client-side and resource-constrained environments.
https://icu4x.unicode.org
Other
1.29k stars 165 forks source link

Cargo Audit Yields Warnings #4724

Open Pi-Cla opened 3 months ago

Pi-Cla commented 3 months ago

See icu4x-cargo-audit.txt for the full results.

In summary: There are transitive dependencies on atty (which is unmaintained and has a RUSTSEC entry) and atomic-polyfill which has been yanked and deprecated by the author

To fix the atomic-polyfill issue we need to update the serde-json-core dependency to 0.5.1 and postcard to 1.0.8.

To fix the atty issue we need to update criterion to 0.5.1 and clap (which is depended on by diplomat-tool) to version 4. Note the migration guide from clap 3 to 4

Pi-Cla commented 3 months ago

See https://github.com/rust-diplomat/diplomat/pull/464 for progress on the clap migration

robertbastian commented 3 months ago

We actually don't use Diplomat's CLI, we should use a Cargo feature to make Diplomat's clap dependency optional.

robertbastian commented 3 months ago

We might want to run cargo audit as part of our daily main CI (it shouldn't be on PRs because we don't want the passage of time to break PR CI).