Replace `atty` dependency in `slog-term` due to RUSTSEC-2021-0145
Closed this issue · 5 comments
The title says it all, but there is an advisory for atty which is unmaintained, and this dependency likely needs to be replaced with something else. Advisory is here: https://rustsec.org/advisories/RUSTSEC-2021-0145.html
Thanks!
Hi! I fixed this in PR slog-rs/term#45
This doesn't look particularly important, so I'm not going to rush an emergency hotfix.
I will release it in the net batch of updates for term when I release v2.9.1.
This will probably come sometime in early December. I have one more week of classes and then finals.
Looks great, thanks @Techcable! Looks like tests are failing due to:
Downloaded once_cell v1.16.0
error: failed to parse manifest at `/home/runner/.cargo/registry/src/github.com-1ecc6299db9ec823/once_cell-1.16.0/Cargo.toml`
Caused by:
feature `edition[20](https://github.com/slog-rs/term/actions/runs/3562324356/jobs/5983962221#step:4:21)[21](https://github.com/slog-rs/term/actions/runs/3562324356/jobs/5983962221#step:4:22)` is required
this Cargo does not support nightly features, but if you
switch to nightly channel you can add
`cargo-features = ["edition2021"]` to enable this feature
Error: Process completed with exit code 101.
As far as timeliness, December should be fine, but I will say that projects are having to allowlist this RUSTSEC in cargo-deny/cargo-audit rules until it's fixed. No big deal though, I have a tracking ticket internally to clean up the deny rules once this lands. Our project is not actually vulnerable due to this, it's just making cargo deny complain :)
I added a comment to that PR explaining the test failures.
If MSRV is ever raised to 1.70, this dependency can also be dropped in favour for std::io::IsTerminal