-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potentially replace unmaintained libraries ignored in audit.toml. #1203
Comments
I am applying to this issue via OnlyDust platform. My background and how it can be leveragedI am a process engineer and I have a high problem-solving capacity. I am currently co-founder and developer of my own startup. How I plan on tackling this issueMy work can be divided into 3 stages:
This is my first ODack I hope to contribute a lot, I am available to start immediately |
@MPSxDev Go for it! |
Research Outcome:This is the research work carried out, first checking that the repositories are maintained and active, and then verifying the existence of documentation in docs.rs. Below I leave the points found in the audit.toml file Atty: This is no longer maintained 2 years ago an alternative:
Wee_alloc: This has not been maintained for 3 years, a solution may be to implement
curve25519-dalek: Because it has vulnerabilities I found this alternative:
I look forward to your comments and any other requests that may be required. |
We had a prior discussion about wee_alloc and decided to keep it: #1151 atty, curve25519-dalek - they are not direct dependencies, right? Can we update any of direct dependencies to fix it? |
|
@MPSxDev near-sdk-rs does not directly depend on atty. Please, inspect the dependencies tree to identify which crates we need to update in order to upgrade/eliminate atty and curve25519-dalek. Once identified, we could make a decision whether we can contribute the fix to those dependencies as there is nothing near-sdk-rs can do about it directly. |
After a thorough investigation of the packages that include the involved dependencies. These include the atty dependency:
These include ed25519-dalek ( include curve25519-dalek):
Below are the affected packages used, including the current version and whether they continue to use these affected dependencies.
In summary, the following steps should be taken:
|
@MPSxDev Great summary! We definitely can act on the first two steps immediately. slip10 has been replaced with slipped10, and that should have been subsequently updated in the recent near-cli-rs and cargo-near releases. Can you give it a try upgrading the dependencies and authoring the atty PR to cargo-near as part of this issue? |
@frol Thank you very much. Yes, I can try to update this. If I have any questions, I will let you know. |
**Atty is replaced by std::io::IsTerminal** Because atty has been unmaintained for 4 years, it is necessary to update it in this case to std::io::IsTerminal, which is part of the _Rust Standard Library_. [Ref](https://doc.rust-lang.org/std/io/trait.IsTerminal.html) _Changes:_ - File: cargo-near\src\commands\build_command\docker.rs Description: Atty is replaced by std::io::IsTerminal - File: cargo-near\src\common.rs Description: Atty is replaced by std::io::IsTerminal - File: cargo-near\cargo-near\src\main.rs Description: Atty is replaced by std::io::IsTerminal - File: cargo-near\Cargo.toml Description: Atty is removed and env_logger is updated to 0.11.5 because the previous version used atty. - File: cargo-near\integration-tests\Cargo.toml Description: env_logger is updated to 0.11.5 because the previous version used atty. Reference issue: [Potentially replace unmaintained libraries ignored](near/near-sdk-rs#1203)
This issue should be closed, I have already done the audit on the latest version and there is no presence of atty and the versions of other dependencies are already updated to versions without the vulnerability. @frol |
And revisit other ignores.
https://github.com/near/near-sdk-rs/blob/master/.cargo/audit.toml
The text was updated successfully, but these errors were encountered: