The crate paste is unmaintained

[danielhjacobs]

See https://rustsec.org/advisories/RUSTSEC-2024-0436

[ErichDonGubler]

@danielhjacobs: This is interesting to know, but it doesn't seem actionable. The paste crate does its job well, and otherwise is not a liability. It's also significant that…as far as I know, there's not a real alternative to the paste crate out there, let alone a maintained one.

Did you have a solution in mind for this issue, or were you just forwarding this RustSec report?

[danielhjacobs]

Mainly forwarding the issue because we have a GitHub action that checks dependencies for advisories using https://github.com/EmbarkStudios/cargo-deny-action. We don't block anything using it but it's just a little annoying if it's always failing as it will need to be manually checked for new failure conditions every time it runs now.

[cwfitzgerald]

For both wgpu and metal-rs we should add this advisory to the ignore list and move on. I trust dtolnay not to do something stupid with crate ownership.

[ErichDonGubler]

@cwfitzgerald: I don't think we have a cargo-deny check in metal-rs that would enforce this in the same was as in wgpu. Said another way: I don't think there are any action items for the metal-rs repo specifically.

@danielhjacobs: You can add "[RUSTSEC-2024-0436](https://rustsec.org/advisories/RUSTSEC-2024-0436)" to your cargo-deny's advisories.ignore configuration to work around this issue for now. Once a clear solution emerges, we can re-open this issue and go from there.

[danielhjacobs]

FWIW, per rustsec/advisory-db#2215, As11000K created https://github.com/AS1100K/pastey as a fork/drop-in replacement for paste.

dtolnay said "I don't plan to endorse a particular replacement, but it doesn't make a difference to me. For my own use cases I would use paste since it is 'finished' and does everything I need."

decathorpe offered to maintain paste itself in its current state if it were un-archived and transferred to him or commons-rs, but dtolnay did not reply to that.