cargo-audit reports that `yaml-rust` is unmaintained
Closed this issue · 7 comments
We are using this crate in https://github.com/rust-vmm/vhost-device/tree/main/vhost-device-vsock
We run cargo-audit
in our CI which now is reporting that a dependency of this crate is unmaintained:
$ cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 615 security advisories (from /home/stefano/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (177 crate dependencies)
Crate: yaml-rust
Version: 0.4.5
Warning: unmaintained
Title: yaml-rust is unmaintained.
Date: 2024-03-20
ID: RUSTSEC-2024-0320
URL: https://rustsec.org/advisories/RUSTSEC-2024-0320
Dependency tree:
yaml-rust 0.4.5
└── config 0.14.0
└── vhost-device-vsock 0.1.0
warning: 1 allowed warning found
more information here: rustsec/advisory-db#1921
I have a PR open to switch to a different crate: #474
If anyone wants to pick up my work there that's appreciated, otherwise I plan to get my PRs for this project when I can spare the time. Presently I'm hoping for that to be in April/May but I keep getting tied up elsewhere 😩
serde-yaml
used in #474 is also unmaintained 😓
Oh I see it was archived with a final release just 2 days ago.
Perhaps it could be moved to the same rust org that config-rs is being relocated to for future maintenance? 🤷♂️
RUSTSEC-2024-0320 suggests another crate:
Consider switching to the actively maintained
yaml-rust2
fork of the original project:
Yaml-rust2's author is also active in rustsec/advisory-db#1921 issue linked in #553 (comment) .
@0rzech thanks for the quick fix!
@matthiasbeyer is there a release planned soon with this fix?
Thanks,
Stefano
No, see #549 .