advisory-db
advisory-db copied to clipboard
rustsec
`dotenv` crate is implicitly unmaintained
As of May 21st, 2022, https://github.com/dotenv-rs/dotenv 's latest version is 0.15.0, which was published on October 22nd, 2019. And the latest commit is 3c1a77bc95821777e5ceb996c5e0b082f2a3ea38, which was pushed on Jun 27th, 2020. On Dec 24th, 2021, someone asked the project status on Current maintenance state · Issue #74 · dotenv-rs/dotenv but there's no response from the maintainers. I'm not sure how long "prolonged period" refers to, but this crate is a candidate for an "unmaintained" crate, I think. At least we should monitor how things are going there.
I wonder whether pandemic time should count differently from non-pandemic time... anyway, I see that the maintainer appears to be ZoeyR, who is one of a number of Rustaceans who have vanished from Rust circles after going to work for a certain company (I suggested she wear telemetry gear so we could try to find out what happened to the others, but she just laughed 😉).
@est31: are you still in contact with ZoeyR?
Yes she's still alive and I had recent contact with her. I've sent her a DM on discord, let's see whether she reacts.
Alright! Hmm, the situation seems complicated to me, given their GitHub activities, they aren't inactive but the crate maintenance is inactive... I'd like to somehow notify the situation to users and thought reporting here would be a good option.
@tarcieri @Shnatsel Any thoughts on this?
The current guides on this say this:
Implicitly unmaintained: the author is incommunicado for a prolonged period of time and cannot advise as to a crate's status.
Contact attempts with the author made with no response. Ideally these attempts are made via a public GitHub issue, so that issue can be cited in an unmaintained crate advisory if need be. Unresponsiveness by the author over a period of 90 days is suggested before filing an advisory.
it also says 90 days for contact attempts, so imo this should wait longer.
it also says 90 days for contact attempts, so imo this should wait longer.
I wouldn't oppose waiting longer if that would be less controversial, but a 90-day period has elapsed since
On Dec 24th, 2021, someone asked the project status on Current maintenance state · Issue #74 · dotenv-rs/dotenv
Has anyone tried contacting @sgrif ? They are listed as crates.io owner of the crate and also have write access on github. The dotenv crate has a lot of downloads (>1 million recent!) so it would be good if it were maintained, even if a maintainer change is necessary.
Also pinging @VictorKoenders as they have more contact to Zoey than me.
I can't believe I have to spell this out but...
Please don't ping random people that are not involved with the project.
Please don't ping random people that are not involved with the project.
You are not directly involved but you have power to make progress on this issue. I'm very glad that at least you give any response at all, and am hopeful that you will be of help. One day you will probably be in the same shoes as the users here, who want to get fixes merged but they don't get merged because maintainers are unresponsive, e.g. for https://github.com/dotenv-rs/dotenv/pull/72
I just want to avoid the more painful migration of the ecosystem to more maintained forks of the crate.
Anyways, I suggest people (edit: ONE person, not everyone) to contact sgrif via twitter DM as they seem to be active there, and because the biggest user of the dotenv crate is diesel, for which sgrif has successfully made a maintainership change.
I don't have much of a stake in this either I'm afraid.
You are not directly involved but you have power to make progress on this issue.
If a person knows a maintainer, it doesn't give them the power to make any progress on the issue. I don't know about others but I wouldn't always want people in a personal circle to ping/ask/discuss about some open source maintainance. I don't see why Victor should be pulled into this issue.
FTR for "progress" i put the bar pretty low. I meant getting any reply at all even if it is "I don't have the time to do maintenance of this crate at the current moment" or something. Sometimes people genuinely don't notice if you ping them directly on github, don't see e-mails in their inbox, etc. I once had to ping a maintainer of a similarly widely used crate on another repo, and they were actually responsive and even explained to me why they are not merging PRs (i didn't even ask for a why, but ofc i was happy that I got it explained). I suppose they had turned off notifications from the main repo.
Such statements are genuinely helpful to assessing whether the community should switch to a more maintained fork or not. If I understand it correctly, rustsec is about to categorize dotenv as unmaintained, at which point, correct me if I'm wrong, it would end up causing warnings for way more people than just the ones in the personal circle of the dotenv maintainers (>500 direct reverse dependencies, but probably only a subset do rustsec db based warnings). If there is the chance that the maintainers still want to maintain it or give it to others, then it should be considered first. Ghosting creates this uncomfortable limbo state that is not very helpful to users at all.
Also I want to point out that Victor and Zoey have common open source projects (see bincode).
Anyways this is my last message in this thread, I don't want to get involved in this any further. I'm here because I was pinged myself (see above), and thought I could be of help. I wish the affected users good luck, I'm out.
Marking any crate with millions of downloads as unmaintained is going to be quite noisy, and in that regard if anything I'd prefer people be overcommunicative with maintainers and adjacent when doing due diligence on a particular crate's status.
Likewise someone who is a crates.io owner for a particular crate is definitely not "random people" and I have marked comments to that effect off topic.
Keep discussion in this thread on the topic of determining dotenv's maintenance status, please.
the maintainer appears to be ZoeyR, who is one of a number of Rustaceans who have vanished from Rust circles after going to work for a certain company (I suggested she wear telemetry gear so we could try to find out what happened to the others, but she just laughed :wink: ).
scary
@Hezuikn you are not being helpful. Also, for the record, the claim you quoted was wrong, she actually is still in Rust circles, just moved to different ones.
Do we have alternatives / forks ?
There is a fork now called dotenvy which might be actionable fix for the people if we were to flag unmaintained:
https://github.com/dotenv-rs/dotenv/issues/74#issuecomment-1054574802
https://github.com/dotenv-rs/dotenv/issues/79 https://github.com/allan2/dotenvy/ https://crates.io/crates/dotenvy
@allan2 @hoijui
https://github.com/dotenv-rs/dotenv/issues/74#issuecomment-1054606024 https://github.com/dotenv-rs/dotenv/issues/74#issuecomment-1061934920
However dotenvy hasn't had a release since March - repo was updated 9 days ago.
So that we don't have another situation like this -
Would it be helpful to have more than one maintainer for it or have a backup plan ?
Note: I would be slightly hesistant to proceed with unmaintained when the crate says it is intended to be used only in test / dev env - nonetheless there are associated monorepo crates which don't mention this and are used elsewhere
Cheers
i am ready to help maintain it if needed and form a team to increase the bus factor if either the old maintainers or the envy ones are interested
@Dylan-DPC I'm the maintainer of dotenvy.
Thank you for your interest on this topic. I've invited you to the repo.
This reply is based on my comment on #1359.
However dotenvy hasn't had a release since March - repo was updated 9 days ago.
Release v0.15.2 was put out today.
So that we don't have another situation like this -
Would it be helpful to have more than one maintainer for it or have a backup plan ?
@Dylan-DPC was added to the repo on Aug 14. I'm still kicking but I appreciate your thoughts of contingency ;)
Note: I would be slightly hesistant to proceed with unmaintained when the crate says it is intended to be used only in test / dev env - nonetheless there are associated monorepo crates which don't mention this and are used elsewhere
As stated on the README, dotenvy is convenient for dev environments. This does not mean that it is not intended for prod. Some may want to use .env files in dev only, preferring to set env vars in the VM or container in prod. Others may wish to use .env in both dev and prod environments. It's up to the preference of the developer.
I created the dotenvy fork because I noticed that dotenv-rs was inactive.
Happy to help improve dotenv on Rust ~