Dependency serde_cbor is unmaintained
mtnking opened this issue · 2 comments
See title, it flags on "cargo audit"
There is a "serde_cbor_2" that someone forked and took responsibility for to avoid the warning (and having to change anything), or other crates like ciborium that are actively maintained.
AFAIK the reason auth-rs hasn't yet switched to serde_cbor_2 was basically that there was no need.
Indeed, cargo audit does complain, but Firefox uses cargo vet and their own vetting system, so they don't run into that problem.
serde_cbor_2 is basically a hard copy without any code changes to the original (and I know the people behind the fork). And rewiring this crate to the new dependency has significant overhead with regards to vendoring the new dependency in the Firefox repo.
So, as the sources are unchanged, the bump to serde_cbor_2 was not yet considered "worth the effort", I think.
auth-rs's usage of serde_cbor is pretty stable and has been vetted, so it being unmaintained shouldn't be a huge problem. And if a (security-) bug does arise, switching over to serde_cbor_2 is still an option.
I am aware of the nature of the fork - I'm the guy who opened the issue that prompted it and participated in the discussion around it. I'm not expecting immediate action, but I would hope it would not be so casually dismissed as "well it's not causing a problem for me, we'll wait for an exploit". If the inconvenience of changing is as significant as you suggest, an exploit is not the time to need to go through all that, given that it has impact on Firefox.