Potentially replace unmaintained libraries ignored in audit.toml. #1203
Comments
|
I am applying to this issue via OnlyDust platform. My background and how it can be leveragedI am a process engineer and I have a high problem-solving capacity. I am currently co-founder and developer of my own startup. How I plan on tackling this issueMy work can be divided into 3 stages:
This is my first ODack I hope to contribute a lot, I am available to start immediately |
|
@MPSxDev Go for it! |
Research Outcome:This is the research work carried out, first checking that the repositories are maintained and active, and then verifying the existence of documentation in docs.rs. Below I leave the points found in the audit.toml file Atty: This is no longer maintained 2 years ago an alternative:
Wee_alloc: This has not been maintained for 3 years, a solution may be to implement
curve25519-dalek: Because it has vulnerabilities I found this alternative:
I look forward to your comments and any other requests that may be required. |
|
We had a prior discussion about wee_alloc and decided to keep it: #1151 atty, curve25519-dalek - they are not direct dependencies, right? Can we update any of direct dependencies to fix it? |
|
|
@MPSxDev near-sdk-rs does not directly depend on atty. Please, inspect the dependencies tree to identify which crates we need to update in order to upgrade/eliminate atty and curve25519-dalek. Once identified, we could make a decision whether we can contribute the fix to those dependencies as there is nothing near-sdk-rs can do about it directly. |
|
After a thorough investigation of the packages that include the involved dependencies. These include the atty dependency:
These include ed25519-dalek ( include curve25519-dalek):
Below are the affected packages used, including the current version and whether they continue to use these affected dependencies.
In summary, the following steps should be taken:
|
|
@MPSxDev Great summary! We definitely can act on the first two steps immediately. slip10 has been replaced with slipped10, and that should have been subsequently updated in the recent near-cli-rs and cargo-near releases. Can you give it a try upgrading the dependencies and authoring the atty PR to cargo-near as part of this issue? |
|
@frol Thank you very much. Yes, I can try to update this. If I have any questions, I will let you know. |
**Atty is replaced by std::io::IsTerminal** Because atty has been unmaintained for 4 years, it is necessary to update it in this case to std::io::IsTerminal, which is part of the _Rust Standard Library_. [Ref](https://doc.rust-lang.org/std/io/trait.IsTerminal.html) _Changes:_ - File: cargo-near\src\commands\build_command\docker.rs Description: Atty is replaced by std::io::IsTerminal - File: cargo-near\src\common.rs Description: Atty is replaced by std::io::IsTerminal - File: cargo-near\cargo-near\src\main.rs Description: Atty is replaced by std::io::IsTerminal - File: cargo-near\Cargo.toml Description: Atty is removed and env_logger is updated to 0.11.5 because the previous version used atty. - File: cargo-near\integration-tests\Cargo.toml Description: env_logger is updated to 0.11.5 because the previous version used atty. Reference issue: [Potentially replace unmaintained libraries ignored](near/near-sdk-rs#1203)
|
This issue should be closed, I have already done the audit on the latest version and there is no presence of atty and the versions of other dependencies are already updated to versions without the vulnerability. @frol |
And revisit other ignores.
https://github.com/near/near-sdk-rs/blob/master/.cargo/audit.toml
The text was updated successfully, but these errors were encountered: