advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard

Published 20 hours ago verified publisher icon rustsec

adler is archived

Open jayvdb opened this issue 1 year ago • 14 comments

https://crates.io/crates/adler has a lot of dependents, including https://github.com/rust-lang/backtrace-rs via https://github.com/Frommi/miniz_oxide .

See https://github.com/Frommi/miniz_oxide/issues/148

https://github.com/jonas-schievink/adler was archived around 25 March 2024. Seems most of their repos were also archived.

https://github.com/jonas-schievink last commit was September 2023.

jayvdb avatar Jul 03 '24 03:07 jayvdb

24% of all crates on crates.io transitively depend on adler

@fintelia How did you figure this out?

smoelius avatar Jul 07 '24 09:07 smoelius

You can divide "Used in 35,426 crates" (https://lib.rs/crates/adler) by "150,348 Crates in stock" (https://crates.io).

To see the historical metric, cargo tally --relative --transitive adler

dtolnay avatar Jul 07 '24 14:07 dtolnay

Thanks, @dtolnay!

smoelius avatar Jul 07 '24 14:07 smoelius

24% of all crates on crates.io transitively depend on adler, but it has only 9 direct dependents.

Given that, it would probably make sense to work directly with those 9 crates, perhaps opening an issue if there isn't one already and linking it here, rather than immediately publishing an advisory for this (or at least, wait until it's been fixed upstream so the advisory is actionable, and that action is to update Cargo.lock)

Otherwise, this is going to be a very noisy advisory with little actionable impact aside from those 9 crates, especially as we don't currently have ways of filtering out advisories for transitive dependencies.

tarcieri avatar Jul 07 '24 14:07 tarcieri

I think it is of note that of those 9 direct dependants

  • simd-adler32, and pixelmosh have adler only as a dev-dependency
    • pixelmosh only has one dependant which has no dependants itself
  • cargo-attributions, intelligit, emote-psb, zawk, nod, and rxsync have no dependants

this leaves only miniz_oxide with both adler as a normal dependency and with dependants.

Skgland avatar Jul 07 '24 20:07 Skgland

Archived repos effectively cant receive bug reports. Even more so when the owner of the repo appears to have intentionally stopped all activity here, in which case it is preferable to respect their decision and avoid contacting the maintainer except in a critical circumstance.

jayvdb avatar Jul 10 '24 04:07 jayvdb

As the maintainer of miniz_oxide I would be fine with forking it however ideally it would be nice if there was someone besides me that could help out maintaining it and miniz_oxide (or maybe moving it to an org or something). The situation around it is not really ideal at the moment as I'm the only maintainer at the moment as the actual owner of the miniz_oxide repo and other person with access rights has not had any activity since June last year so I don't know if they are even still around.

oyvindln avatar Jul 13 '24 18:07 oyvindln

@oyvindln alternatively you could vendor the relevant code and drop the dependency, since there don’t seem to be that many other users

tarcieri avatar Jul 13 '24 18:07 tarcieri

I guess I'll fork it then - I'd rather keep it separate since there are actually some other active users of it.

oyvindln avatar Jul 29 '24 15:07 oyvindln

Okay - I have made a fork called adler2: https://crates.io/crates/adler2

Will make an update to miniz_oxide soon with a semver bump that updates to using adler2 instead of adler if this looks fine.

oyvindln avatar Aug 04 '24 20:08 oyvindln

Also ping @jonas-schievink in case they are still watching github

oyvindln avatar Aug 05 '24 21:08 oyvindln

I've now also updated miniz_oxide to use adler2 - so main thing that remains is to update flate2 and backtrace to this version I guess

oyvindln avatar Aug 09 '24 12:08 oyvindln