Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow paste even though unmaintained, for now #1879

Closed
wants to merge 2 commits into from
Closed

Allow paste even though unmaintained, for now #1879

wants to merge 2 commits into from

Conversation

EliahKagan
Copy link
Member

@EliahKagan EliahKagan commented Mar 8, 2025
edited
Loading

https://rustsec.org/advisories/RUSTSEC-2024-0436.html now causes the cargo deny advisories check to fail (even if the separate and more important failure from ring is fixed by bumping the ring version, as in #1878).

paste is mature and would be hard to remove as a transitive dependency at this time:

> cargo tree --invert paste --no-dedupe --depth 3
paste v1.0.15 (proc-macro)
└── ratatui v0.26.3
    ├── crosstermion v0.14.0
    │   ├── gitoxide v0.41.0 (C:\Users\ek\source\repos\gitoxide)
    │   └── prodash v29.0.0
    ├── prodash v29.0.0
    │   ├── gitoxide v0.41.0 (C:\Users\ek\source\repos\gitoxide)
    │   ├── gix v0.70.0 (C:\Users\ek\source\repos\gitoxide\gix)
    │   └── gix-features v0.40.0 (C:\Users\ek\source\repos\gitoxide\gix-features)
    └── tui-react v0.23.2
        ├── crosstermion v0.14.0
        └── prodash v29.0.0

As discussed in rustsec/advisory-db#2215 and leptos-rs/leptos#3685, paste is widely used and there is community interest in maintaining it.

When the status changes or more information about the future of paste or its alternatives is available, deny.toml could be updated again (even if only with a comment).

This PR adds a commit atop #1878. It would be reasonable to include this change there, but I cannot use a review comment to propose an automatically appliable patch to code in a PR that is not changed or right next to lines that are changed. I considered opening this against the Dependabot branch for #1878 rather than against main, but in this case it seems like that might be more complicated to handle; but I'd be pleased to change the base branch on request.

If #1878 is merged first, then this can be merged and the history should be okay and still free of duplicate commits. Or this could be rebased after that for a slightly clearer history. Or if this is merged before #1878, it will bring in the changes from there, and I believe #1878 will be closed automatically. Another option is to merge this commit into the branch for #1878 (git merge 1d9f7cd when on that branch) and then merge #1878.

This causes the cargo deny advisories check to pass. The remaining failures here are unrelated to the changes. They are the same as the other failures occurring on main: test-fixtures-windows (due to #1849, #1870 would fix) and test-32bit (due to rustup changes, #1874 would fix).

@dependabot
build(deps): bump ring in the cargo group across 1 directory
98ae5be 
Bumps the cargo group with 1 update in the / directory: [ring](https://github.com/briansmith/ring).


Updates `ring` from 0.17.8 to 0.17.13
- [Changelog](https://github.com/briansmith/ring/blob/main/RELEASES.md)
- [Commits](https://github.com/briansmith/ring/commits)

---
updated-dependencies:
- dependency-name: ring
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@EliahKagan EliahKagan mentioned this pull request Mar 8, 2025
Closed
@EliahKagan
Allow paste even though unmaintained, for now
1d9f7cd 
https://rustsec.org/advisories/RUSTSEC-2024-0436.html now causes
the `cargo deny advisories` check to fail (even if the separate and
more important failure from `ring` is fixed by bumping the `ring`
version, as in GitoxideLabs#1878).

`paste` is mature and would be hard to remove as a transitive
dependency at this time:

    > cargo tree --invert paste --no-dedupe --depth 3
    paste v1.0.15 (proc-macro)
    └── ratatui v0.26.3
        ├── crosstermion v0.14.0
        │   ├── gitoxide v0.41.0 (C:\Users\ek\source\repos\gitoxide)
        │   └── prodash v29.0.0
        ├── prodash v29.0.0
        │   ├── gitoxide v0.41.0 (C:\Users\ek\source\repos\gitoxide)
        │   ├── gix v0.70.0 (C:\Users\ek\source\repos\gitoxide\gix)
        │   └── gix-features v0.40.0 (C:\Users\ek\source\repos\gitoxide\gix-features)
        └── tui-react v0.23.2
            ├── crosstermion v0.14.0
            └── prodash v29.0.0

As discussed in rustsec/advisory-db#2215
and leptos-rs/leptos#3685, `paste` is
widely used and there is community interest in maintaining it.

When the status changes or more information about the future of
`paste` or its alternatives is available, `deny.toml` could be
updated again (even if only with a comment).
@EliahKagan EliahKagan mentioned this pull request Mar 11, 2025
Merged
@EliahKagan
Copy link
Member Author

Because a similar change to 1d9f7cd in this PR is included in cf7f34d (added to #1882), and cf7f34d also includes another change for an advisory published after this PR was opened, I think 1d9f7cd in this PR can be considered superseded. But the only other changes in this PR are those from #1878.

I suspect that #1878 can also be closed due to another change added to #1882. I'll check into that shortly. Either way, whether or not #1878 is also superseded, I think this establishes this PR as superseded.

@EliahKagan EliahKagan closed this Mar 11, 2025
@EliahKagan EliahKagan deleted the run-ci/paste branch March 11, 2025 11:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@EliahKagan