Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

concolor-control Archived; requires potentially insecure atty #900

Closed
theory opened this issue Jul 15, 2024 · 10 comments
Closed

concolor-control Archived; requires potentially insecure atty #900

theory opened this issue Jul 15, 2024 · 10 comments

Comments

@theory
Copy link

theory commented Jul 15, 2024

Looks like cargo-edit dependency concolor has been archived for over a year. It, in turn, depends on atty, which appears to be unmaintained and has a potential security issue (sample dependabot report.

Should concolor be removed or replaced with something that's maintained?
@theory theory mentioned this issue Jul 15, 2024
Merged
@epage
Copy link
Collaborator

epage commented Jul 15, 2024

With rust-lang/cargo#12425, I am treating cargo-edit as in maintenance mode and am doing the absolute minimum work on it, including for what PRs get reviewed.

@theory
Copy link
Author

theory commented Jul 15, 2024

Thanks. I'm only interested in seeing security vulnerabilities addressed wherever possible. Whether or not it's worth it here presumably has to do with the timing of rust-lang/cargo#12425 as a replacement.

I suppose in the meantime I can just tell dependabot to STFU about atty.

@epage
Copy link
Collaborator

epage commented Jul 15, 2024

Why does dependabot care about cargo-edit dependencies?

@theory
Copy link
Author

theory commented Jul 15, 2024
edited
Loading

In this dependabot report, it says atty has a "potential unaligned read". That project depends on pgrx, which depends on cargo-edit, which depends on concolor, which depends on atty.

There are actually a few other paths to atty through pgrx; details in pgcentralfoundation/pgrx#1778.

@epage
Copy link
Collaborator

epage commented Jul 15, 2024

I can't access that dependabot report.

I'm going to guess you are depending on cargo-edit as a library? Why is that?

@theory
Copy link
Author

theory commented Jul 15, 2024
edited
Loading

I am not, but pgrx does. I don't know why.

@theory
Copy link
Author

theory commented Jul 15, 2024

rust-lang/rustup#3443 has some information about the atty vulnerability.

@workingjubilee
Copy link

Because cargo-pgrx wants to update the files in Cargo.tomls for similar reasons in specific ways...?

@workingjubilee
Copy link

workingjubilee commented Jul 15, 2024
edited
Loading

In practice, this is not at all a concern from the security perspective as we don't even support Windows much less use a custom allocator.

workingjubilee pushed a commit to pgcentralfoundation/pgrx that referenced this issue Jul 15, 2024
@theory
Upgrade owo-colors to v4.0.0 (#1778)
8cf8d04 
Removes one dependency on atty, which has a security vulnerability and
appears to be unmaintained.

Remaining dependencies to be fixed and/or released:

*   killercup/cargo-edit#900
*   eyre-rs/eyre#167
@epage
Copy link
Collaborator

epage commented Jul 16, 2024

So long as you know that for a while cargo-edit-the-lib is developed exclusively for cargo-edit-the-bin, semver is tracking the bins and not the libs, we are free to remove things as needed even if used by library users, and this has gone into deep maintenance mode as the functionality is moved into Cargo.

As this doesn't seem to be an issue, I'm closing this.

@epage epage closed this as not planned Won't fix, can't repro, duplicate, stale Jul 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@theory @epage @workingjubilee