columnar icon indicating copy to clipboard operation
columnar copied to clipboard
verified publisher icon loro-dev

Fix RUSTSEC-2023-0089

Open niclashoyer opened this issue 6 months ago • 0 comments

👋🏽 this is kind of complicated. RUSTSEC-2023-0089 was issued, because atomic-polyfill is deprecated, from cargo audit:

Crate:     atomic-polyfill
Version:   1.0.3
Warning:   unmaintained
Title:     atomic-polyfill is unmaintained
Date:      2023-07-11
ID:        RUSTSEC-2023-0089
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0089
Dependency tree:
atomic-polyfill 1.0.3
└── heapless 0.7.17
    └── postcard 1.1.3
        ├── serde_columnar 0.3.14
        │   ├── loro-internal 1.8.1
        │   │   └── loro 1.8.1
        │   │       └── business 0.3.3
        │   └── loro-common 1.8.1
        │       ├── loro-kv-store 1.8.1
        │       │   ├── loro-internal 1.8.1
        │       │   └── loro 1.8.1
        │       ├── loro-internal 1.8.1
        │       └── loro 1.8.1
        └── loro-internal 1.8.

heapless 0.9.x uses an alternative polyfill, but postcard hides this behind an (in their words) experimental feature flag: heapless-v0_9. I do have a working fork that uses the main branch and said feature, though. I think that does not eliminate the need for heapless 0.7 completely.

I think this needs to wait until https://github.com/jamesmunns/postcard/issues/223 is resolved, probably with a postcard 2.0 (compatible with 1.0 bin format).

niclashoyer avatar Sep 23 '25 19:09 niclashoyer