Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get rid of proc-macro-error (RUSTSEC-2024-0370 and syn version) #351

Closed
domenicquirl opened this issue Sep 10, 2024 · 4 comments · Fixed by #350 or #354
Closed

Get rid of proc-macro-error (RUSTSEC-2024-0370 and syn version) #351

domenicquirl opened this issue Sep 10, 2024 · 4 comments · Fixed by #350 or #354

Comments

@domenicquirl
Copy link

So, someone filed an advisory against proc-macro-error for being unmaintained. Since validator-derive uses it, using validator made this show up in our CI. Tbh I'm somewhat sceptical as to the proposed solution of migrating to proc-macro-error-2, both because it is very recent and already had to release a bugfix for an oversight they made when forking the project, and because the primary reason to use proc-macro-error at all (to me, at least) is because it abstracts over stable vs. nightly diagnostic capabilities for proc macros, which the sequel doesn't do - they use a feature flag instead that needs to be set by the dependent.

That said, the original proc-macro-error due to its age is also one of the few crates in our dependency graph to still depend on syn version 1. Having to compile syn twice in an early stage of the build (since it is needed for basically all proc macros) is not great, and might honestly be a better / bigger reason to stop using proc-macro-error. As an alternative to switching to proc-macro-error2, here's a recent PR in utoipa (in particular the Diagnostics bit here, which GitHub likes to collapse by default). It's a bigger PR, but their macro API surface is also very large, so it should be less effort to do for validator-derive if that is wanted.
@domenicquirl
Copy link
Author

There is also proc-macro2-diagnostics which is maintained and provides the same functionality (namely the nightly detection) of proc-macro-error.

@domenicquirl domenicquirl mentioned this issue Sep 27, 2024
Merged
empwilli added a commit to empwilli/omnect-cli that referenced this issue Oct 2, 2024
@empwilli
chore: add ignore for RUSTSEC-2024-0370
f0dbf9f 
proc-macro-error is unmaintained of now. The authors of the validator
crate are aware of the issue and working on it
(Keats/validator#351) as of now, however, there
is no solution. As this issue is not critical for operation we ignore it
for now and update the affected dependencies when the updates are
available.
@pvichivanives
Copy link
Contributor

Update on this in case anyone is following: PR has been merged, awaiting new version release though.

@pohlm01 pohlm01 mentioned this issue Oct 28, 2024
Closed
@timleslie
Copy link

Just to set expectations, is there an ETA on a release? We have a low-urgency ticket to resolve the RUSTSEC issue in our repo, so it would be helpful if I could update that with a timeframe.

Thanks for all the work that goes into maintaining this crate, it's much appreciated 🙏

@pvichivanives pvichivanives mentioned this issue Oct 29, 2024
Merged
@Keats
Copy link
Owner

Keats commented Nov 1, 2024

Probably next week when i get back from holiday

@Keats Keats closed this as completed in #354 Nov 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@timleslie @Keats @domenicquirl @pvichivanives