dicom-rs icon indicating copy to clipboard operation
dicom-rs copied to clipboard
verified publisher icon Enet4

RUSTSEC-2021-0153: encoding is unmaintained

Open jayvdb opened this issue 1 year ago • 3 comments

Running osv-scanner on this repo results in only one RUSTSEC https://osv.dev/vulnerability/RUSTSEC-2021-0153

cargo-deny also fails because of this.

dicom-encoding crate includes

encoding = "0.2.33"

There is no updated version, because it is unmaintained. c.f. https://github.com/lifthrasiir/rust-encoding/issues/127

This presents a problem for safety critical medical devices using that crate.

The recommended alternative is https://github.com/hsivonen/encoding_rs . Probably isnt too much effort to switch over. I can give it a go unless there are objections or other factors to be considered.

jayvdb avatar Oct 22 '24 09:10 jayvdb

Thank you for reporting. That is a known situation which is being tracked in #200. If you or someone else can do the switch to encoding_rs while keeping support for the existing text encodings and retaining compliance to the current TextCodec API, I would be very grateful. Feel free to ask questions or reach out on Zulip if you need more assistance.

Enet4 avatar Oct 22 '24 09:10 Enet4

I think that it's time to start trying to integrate the encoding_rs crate. Then, we just need to add a new feature to distinguish between rust_encoding and encoding_rs. When others depend on the dicom crate, they can freely decide whether to use rust_encoding or encoding_rs at the underlying level.

bowenxuuu avatar Apr 20 '25 16:04 bowenxuuu

@Enet4 @xb284524239 This issue has a pull request waiting for a month.

jayvdb avatar Nov 05 '25 03:11 jayvdb