Allow disabling dependency on `inventory v0.1`
phil-opp opened this issue · 2 comments
There are some open security advisories for inventory
< v0.2.0
: https://rustsec.org/packages/inventory.html . They are not serious, but it would still be nice to provide a way to remove the inventory v0.1
version from the dependency graph.
Since #132, there is an optional inventory-0-3-1
feature, but the header
feature still enables the inventory v0.1
dependency unconditionally.
(I tried working around that by enabling the safer_ffi-proc_macros/headers
feature manually instead of the top-level headers
feature. Unfortunately, this doesn't work since there are multiple #[cfg(feature = "headers")]
instances in the code, which are required as well.)
inventory@0.2 seems to have a much lower MSRV, so that could at least be used, to get rid of the warning
- dtolnay/inventory#72 gives even more motivation to get this done