l3montree-dev
flagging Abandonware
I read an interesting blogpost by edera.dev about Abandonware
While the active forks have been successfully patched (see also Astral Security Advisory), this disclosure highlights a major systemic challenge: the highly downloaded tokio-tar remains unpatched.
Our suggested remediation is to immediately upgrade to one of the patched versions or remove this dependency. If you depend on tokio-tar, consider migrating to an actively maintained fork like astral-tokio-tar. In addition, the Edera fork krata-tokio-tar will be archived to coalesce all efforts with the astral fork and reduce the ecosystem confusion.
Adding this to Devguard would really cool in my opinion. This would add a little bit of OSS-Risk-Assessment to Devguard aside of OpenSSF Scorecards.
OpenSSF Scorecards should correlate strongly with abandonware, so we could also just work more closely with the scores.
We could also flag every repository that is archived on GitHub/GitLab/ responsible Git Instance. Maybe search for forks that are still actively maintained?
We could add a flagging to the organization wide package search & to the general repository wide dependency search.
