Remove "multipart" dependency

Question

Remove "multipart" dependency

willclevine opened this issue 2 years ago · 13 comments

Is your feature request related to a problem? Please describe.
Warp 0.3.3's dependency on multipart v0.18.0 now causes a vulnerability advisory error during cargo deny check:

error[vulnerability]: Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
...
    = Announcement: https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead
    = Solution: Upgrade to >=0.8.0
    = remove_dir_all v0.5.3
      └── tempfile v3.3.0
          └── multipart v0.18.0
              └── warp v0.3.3

I'd like multipart to be removed as a dependency for Warp. It appears to not be maintained anymore either: https://github.com/abonander/multipart

Describe the solution you'd like
This PR appears to fix the issue. I'd like someone to approve it, merge it, and release v0.3.4: #846

Describe alternatives you've considered
I can try to patch remove_dir_all to v0.8.0 in my TOML, but this will remain an issue for other projects using this version of Warp.

Answer 1 · 2023-03-07T13:59:45.000Z

can you please share how you're patching remove_dir_all on your toml? I'd like to do the same

Answer 2 · 2023-03-07T14:03:17.000Z

In most cases, simply running cargo update -p tempfile in your project should work.

Answer 3 · 2023-03-07T16:33:44.000Z

I could do it with this, but I wouldn't recommend it since I would have had to use "master" instead of a version. Unfortunately the version of tempfile that gets rid of remove_dir_all isn't tagged (3.4.0) https://github.com/Stebalien/tempfile/tags

[patch.crates-io]
tempfile = {git = "https://github.com/Stebalien/tempfile", branch = "master"}

Answer 4 · 2023-03-07T16:36:09.000Z

Looks like they just forgot to push the tag to GitHub. The version on https://crates.io/crates/tempfile is 3.4.0.

Answer 5 · 2023-03-08T06:49:53.000Z

thanks! running cargo update -p tempfile as suggested worked for me.

Answer 6 · 2023-03-09T21:02:29.000Z

@willclevine You can instead add this: tempfile = "3.4.0" to your dependencies block.

Answer 7 · 2023-03-10T02:19:36.000Z

multipart is incompatible in future。

warning: the following packages contain code that will be rejected by a future version of Rust: buf_redux v0.8.4, multipart v0.18.0
note: 
To solve this problem, you can try the following approaches:


- If the issue is not solved by updating the dependencies, a fix has to be
implemented by those dependencies. You can help with that by notifying the
maintainers of this problem (e.g. by creating a bug report) or by proposing a
fix to the maintainers (e.g. by creating a pull request):

  - buf_redux@0.8.4
  - Repository: https://github.com/abonander/buf_redux
  - Detailed warning command: `cargo report future-incompatibilities --id 6 --package buf_redux@0.8.4`

  - multipart@0.18.0
  - Repository: http://github.com/abonander/multipart
  - Detailed warning command: `cargo report future-incompatibilities --id 6 --package multipart@0.18.0`

Answer 8 · 2023-03-10T06:55:46.000Z

multipart is archived without future maintenance

Answer 9 · 2023-03-29T20:20:49.000Z

Please, is there any news here?
Both packages were archived, and they are only used by warp:

❯ cargo tree -i buf_redux
buf_redux v0.8.4
└── multipart v0.18.0
    └── warp v0.3.3
        ...
        └── warp-embed v0.4.0
            ...
❯ cargo tree -i multipart
multipart v0.18.0
└── warp v0.3.3
    ...
    └── warp-embed v0.4.0
        ...

Also, the OP even reported there is an open PR that might fix this (#846, since 2021 actually)...
Is there any problem there? Can I do something to help you, even if it is a donation?
Thank you.

Answer 10 · 2023-03-30T17:59:38.000Z

@rsalmei Sorry for not posting sooner, but both @LegendL3n and @horacimacias solutions worked for me. Either worked, you don't need to do both.

Answer 11 · 2023-03-30T23:03:13.000Z

Well @willclevine, updating tempfile might resolve the error[vulnerability] problem you put on description, but it definitely does not solve the problem you put on the title of this thread...

I'm talking about the problem @letbt has brought up.
I'm talking about how ALL projects of mine that use warp now give an ugly warning every single time I compile them:

warning: the following packages contain code that will be rejected by a future version of Rust: buf_redux v0.8.4, multipart v0.18.0
note: to see what the problems were, use the option `--future-incompat-report`, or run `cargo report future-incompatibilities --id 92`

BOTH buf_redux and multipart were archived, so there's nothing we can do to fix this, only @seanmonstar can fix this on warp itself. And removing multipart will fix both problems, because it is multipart itself that uses buf_redux.

So, please, do not close this issue. We still do need to 'Remove "multipart" dependency' as you've put on the title. This is not fixed.

Answer 12 · 2023-03-31T00:11:38.000Z

@rsalmei you are right! I was overzealous haha. Reopened

Answer 13 · 2023-03-31T13:36:22.000Z

Thanks @willclevine. We can only hope this will soon be fixed.