dependency atty trips RUSTSEC-2021-0145
damccull opened this issue ยท 13 comments
I'm getting a rustsec warning on cargo audit:
https://rustsec.org/advisories/RUSTSEC-2021-0145
Is this something being looked into?
No release in 3 years.
Switch to owo-colors and use the compatibility layer.
Thanks
Hey, thanks for the issue! I'm a newer member to the project, but I'm here to help start getting these issues and PRs tackled, and to keep the project moving forward in general.
You mentioned that security advisory @damccull, but I'm not seeing how that's originating in this crate. Excuse me if I'm just overlooking something, but it looks like the version of atty this crate is using is 2.0, which should automatically be using the latest version of atty when you use this crate.
Is this still affecting you? I'm wanting to start closing up some issues that don't need to be open anymore, but I'd like to leave this open in case there's something going on.
I was using the latest version of colored when I posted the issue, however I've since switch to owo-colors as suggested by another user.
I'm glad to see this project hasn't disappeared completely though.
For sure, this project ain't out yet @damccull! I use it in a fair amount of my own projects, so I'm definitely vetted into seeing the success of it. It also appears to be quite popular on crates.io, so whatever I can do to help with a crate like this I'm definitely down for.
I'll go ahead and close this issue for the time being. If it appears to be an issue by anyone after the new release is made a new issue can be made and I'll get it looked at.
@hwittenborn I am a little confused about the resolution. atty is not maintained and this crate depends on it. It is possible to remove atty as a dependency by creating a minor release for this crate. If you close this we will be forced to move to another crate.
If it appears to be an issue by anyone after the new release is made a new issue can be made and I'll get it looked at.
Did you mean you are working on a new release of this crate without atty as a dependency? In which case maybe close this issue after the release is published?
That's my bad @amitu, I hadn't looked too much into that CVE and just assumed it was fixed on the latest release. That'll probably involve either getting into a fork of the upstream or just removing the dependency (the latter of which is a fair possibility, see #125 (comment)).
There definitely needs to be no crates with active vulnerabilities in here though. I'm just getting stuff discussed with mackwic before doing much.
I'll go ahead and reopen this issue since it's still affecting colorized then.
Rust 1.70.0 added https://doc.rust-lang.org/stable/std/io/trait.IsTerminal.html, which is a stdlib replacement for atty. There is already an issue related to MSRV: #85.
Maybe set MSRV to 1.70.0 and create a major release? And to be extra nice create a patch release as well with another crate as a dependency?
I am not sure how much time you have on your hand. But if you agree maybe someone can send a PR with these changes? Publishing releases is still work.
Oh cool, didn't know that was part of the stdlib. I was wanting to add an MSRV for the project but wasn't sure what to set it to, that gives a good one to set though.
Making a new release isn't an issue at all, I'm actually wanting to start automating the process so that I don't have to do it manually anymore. I'm just wanting for @mackwic to give me access to the crate on crates.io before I can do anything.
I'm thinking he's probably still pretty busy with stuff though, but I saw you had access to the crate @kurtlawrence. Would you mind adding me as a maintainer of the crate on crates.io if mackwic isn't able to get back?
Just a stranger passing by, it feels good to see activity on this repo!
Would you mind adding me as a maintainer of the crate on crates.io if mackwic isn't able to get back?
Sorry @hwittenborn, just saw this. I see Thomas has added you now.
Dependabot is reporting a vulnerability with atty on my project too. Excited to see that a fix is in the works.
Fixed in v2.0.2.