oci-spec-rs icon indicating copy to clipboard operation
oci-spec-rs copied to clipboard
verified publisher icon containers

Consider replacing `getset` crate

Open flavio opened this issue 1 year ago • 3 comments

The getset is consuming the proc-macro-error dependency.

The RUSTSEC-2024-0370 advisory has just been issued because proc-macro-error is no longer maintained.

getset looks unmaintained too, but doesn't have a RUSTSEC advisory assigned to it, yet.

While IMHO this is nothing serious from a security POV, it would be nice to evaluate the feasibility of replacing getset with a similar crate that is actively maintained and doesn't pull in unmaintained dependencies.

flavio avatar Sep 06 '24 07:09 flavio

@flavio thank you for the report.

@hoverbear do you think we can make getset independent from proc-macro-error?

saschagrunert avatar Sep 09 '24 07:09 saschagrunert

I imagine it would be possible to make that change. @jbaublitz took over the crate sometime a couple years back, perhaps he would be willing to review a PR. (Thanks for reminding me to pass over crate ownership on crates.io)

Hoverbear avatar Sep 09 '24 13:09 Hoverbear

Hi @saschagrunert. I have reviewed a PR upstream to update syn to version 2. I have to look into what's pulling in the I unmaintained version a little bit more and see if just updating syn will resolve the issue (out of office at the moment but should have time to take a look at this later today).

jbaublitz avatar Sep 09 '24 13:09 jbaublitz

Why not just make fields public? This is mostly just data and I struggle to find examples where it enforces some invariants.

stepancheg avatar May 06 '25 19:05 stepancheg