zola
zola copied to clipboard
getzola
[RUSTSEC-2024-0003] [RUSTSEC-2024-0019] and [RUSTSEC-2020-0043] (among many others)
Bug Report
Currently this project is depending on dependencies which are vulnerable to: RUSTSEC-2024-0019, RUSTSEC-2024-0003, RUSTSEC-2020-0043
In addition it is also depending on a bunch of unmaintained crates (listed on RUSTSEC too)
Environment
Zola version: Next branch
Expected Behavior
When I run cargo audit on this repo I get no alerts
Step to reproduce
Run cargo audit on the next branch
My proposed solution can be seen in this branch. (I have ran cargo test and all of the tests still pass)
Where ws is replaced with parity-ws (ws has yet to merge a PR that would fix RUSTSEC-2020-0043)
and cargo update was ran to fix the other two vulnerabilities.
See cargo-audit-zola-old.txt for the audit report before my changes and cargo-audit-zola-new.txt for the new audit report. I think markdown is a false positive? since this repo seems to have their own package called markdown.
The other three remaining alerts stem from our dependency on atty, net2 via an old version of mio, and encoding via an old version of lindera
I am less sure how to go about fixing the last three so any suggestions are appreciated
Someone is working on some changes for the server (https://github.com/InDieTasten/zola-codespaces/issues/1) cc @InDieTasten so I wouldn't bother changing the ws library for now. As for the deprecated/unmaintained libraries I'll update most of them for the next version. There was one where the maintainer disappeared but I don't remember which one - guess i'll see soon.
