Allow disabling dependency on `inventory v0.1`

Question

Allow disabling dependency on `inventory v0.1`

phil-opp opened this issue a year ago · 2 comments

There are some open security advisories for inventory < v0.2.0: https://rustsec.org/packages/inventory.html . They are not serious, but it would still be nice to provide a way to remove the inventory v0.1 version from the dependency graph.

Since #132, there is an optional inventory-0-3-1 feature, but the header feature still enables the inventory v0.1 dependency unconditionally.

(I tried working around that by enabling the safer_ffi-proc_macros/headers feature manually instead of the top-level headers feature. Unfortunately, this doesn't work since there are multiple #[cfg(feature = "headers")] instances in the code, which are required as well.)

Answer 1 · 2024-02-06T14:04:55.000Z

inventory@0.2 seems to have a much lower MSRV, so that could at least be used, to get rid of the warning

Answer 2 · 2024-02-26T18:05:29.000Z

dtolnay/inventory#72 gives even more motivation to get this done