Rust: unmaintained dependencies need updating #2239

Closed GumpacG closed 1 month ago

Describe the bug

proc-macro-error is used in glide-core and is deemed to be unmaintained and should be replaced with proc-macro-error2. There are other dependencies that use proc-macro-error as well like iai-callgrind-macros, dispose-derive, etc. Some of the dependencies have also been inactive for years and needs replacing before this error occurs again.

Error:

error[unmaintained]: proc-macro-error is unmaintained
    ┌─ /home/runner/work/valkey-glide/valkey-glide/java/Cargo.lock:105:1
    │
105 │ proc-macro-error 1.0.4 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected
    │
    ├ ID: RUSTSEC-2024-0370
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0370
    ├ proc-macro-error's maintainer seems to be unreachable, with no commits for 2 years, no releases pushed for 4 years, and no activity on the GitLab repo or response to email.

      proc-macro-error also depends on `syn 1.x`, which may be bringing duplicate dependencies into dependant build trees.

      ## Possible Alternative(s)

      - [proc-macro-error2](https://crates.io/crates/proc-macro-error2)
    ├ Announcement: https://gitlab.com/CreepySkeleton/proc-macro-error/-/issues/20
    ├ Solution: No safe upgrade is available!
    ├ proc-macro-error v1.0.4
      └── dispose-derive v0.4.0
          └── dispose v0.5.0
              ├── glide-core v0.1.0
              │   └── glide-rs v0.1.0
              └── redis v0.25.2
                  ├── glide-core v0.1.0 (*)
                  └── glide-rs v0.1.0 (*)

Expected Behavior

All dependencies should be from maintained projects to prevent this error from reoccuring.

Current Behavior

Running cargo deny check advisories --config ../deny.toml outputs the error error[unmaintained]: proc-macro-error is unmaintained.

Reproduction Steps

Remove "RUSTSEC-2024-0370" from the ignore block in deny.toml file.
Run cd glide-core
Run cargo deny check advisories --config ../deny.toml

Possible Solution

No response

Additional Information/Context

From https://github.com/valkey-io/valkey-glide/pull/2235#issuecomment-2332907525:

These are the two problematic dependency chains in redis-rs: redis-rs https://github.com/amazon-contributing/redis-rs/blob/main/redis/Cargo.toml -> dispose https://github.com/ray-kast/dispose/blob/master/src/dispose/Cargo.toml -> dispose-derive https://github.com/ray-kast/dispose/blob/master/src/dispose-derive/Cargo.toml -> proc_macro_error

redis-rs https://github.com/amazon-contributing/redis-rs/blob/main/redis/Cargo.toml -> rust_decimal https://github.com/paupino/rust-decimal/blob/master/Cargo.toml -> borsh https://github.com/near/borsh-rs/blob/master/borsh/Cargo.toml -> borsh-derive https://github.com/near/borsh-rs/blob/master/borsh-derive/Cargo.toml -> syn_derive https://github.com/Kyuuhachi/syn_derive/blob/main/Cargo.toml -> proc_macro_error

glide-core only has the dependency on iai-callgrind

Once the issue is resolved, please revert changes on deny.toml in https://github.com/valkey-io/valkey-glide/pull/2235.

Request to update iai-callgrinds proc-macro-error dependency: https://github.com/iai-callgrind/iai-callgrind/issues/262

Client version used

1.0.1

Engine type and version

N/A

OS

macOS

Language

Rust

Language Version

cargo 1.79.0

Cluster information

No response

Logs

No response

Other information

No response

closing as a duplicate of https://github.com/valkey-io/valkey-glide/issues/2238

valkey-io / valkey-glide