syntect icon indicating copy to clipboard operation
syntect copied to clipboard

Published 20 hours ago verified publisher icon trishume

Fix unmaintained audit warning for yaml-rust

Open SleeplessOne1917 opened this issue 1 year ago • 11 comments

When running cargo audit on this repo, I get a warning that yaml-rust is no longer maintained:

Crate:     yaml-rust
Version:   0.4.5
Warning:   unmaintained
Title:     yaml-rust is unmaintained.
Date:      2024-03-20
ID:        RUSTSEC-2024-0320
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0320
Dependency tree:
yaml-rust 0.4.5
└── syntect 5.2.0

This PR replaces that dependency with yaml-rust2, which does the same thing and has the same API, but is also actively maintained.

Some other warnings popped up as well, but they were related to dev dependencies, so likely not a big deal.

SleeplessOne1917 avatar May 30 '24 02:05 SleeplessOne1917

I really need to check the PR tracker first, as there is already a PR for this with #538. Maintainers' call as to which PR to use.

SleeplessOne1917 avatar May 30 '24 02:05 SleeplessOne1917

I've looked at the others and I think this PR is the one to use.

Can you fix the CI failure please?

Note to self: There is no Cargo.lock diff since there is no Cargo.lock.

Enselic avatar May 30 '24 04:05 Enselic

Failures for 2 of the steps are saying Makefile.sublime-syntax: Invalid YAML file syntax: comments must be separated from other tokens by whitespace at byte 10 line 2 column 1. Do you know where I can find that file, as it's not showing up when I search through the project files.

Also, I'm not sure what to do about the minimum supported rust version test.

SleeplessOne1917 avatar May 30 '24 13:05 SleeplessOne1917

Makefile.sublime-syntax is in the testdata folder, Packages submodule, Makefile subfolder

If the yaml specification and version of the yaml file hasn't changed, why is it reporting a parse error I wonder when it didn't before?

keith-hall avatar May 30 '24 14:05 keith-hall

Makefile.sublime-syntax is in the testdata folder, Packages submodule, Makefile subfolder

Is that file supposed to be generated? I don't see anyhthing in that directory.

SleeplessOne1917 avatar May 30 '24 14:05 SleeplessOne1917

It will appear when you checkout the git submodules https://github.com/trishume/syntect#getting-started

keith-hall avatar May 30 '24 14:05 keith-hall

I did some investigation and it turns out yaml-rust2 is buggy. It doesn't recognize this kind of header for YAML files:

%YAML 1.2
---
# actual content here

It is also unable to parse Markdown.sublime-syntax. To check that it was an issue with the library and not the YAML file itself, I pasted the contents into this YAML validator and it says it's valid. I tested the same file in a little test project I threw together and, surely enough, it gave me the same errors it gave in this repo's CI tests.

I'll open an issue on the library's repository.

SleeplessOne1917 avatar May 31 '24 01:05 SleeplessOne1917

Also, I'm not sure what to do about the minimum supported rust version test.

If you were using yaml-rust, you can disable the default features of yaml-rust2 to lower MSRV from 1.70 to 1.65.

Ethiraric avatar May 31 '24 15:05 Ethiraric

Feel free to bump MSRV if needed

Enselic avatar May 31 '24 16:05 Enselic

Hi! If you still want to transition to yaml-rust2, is there anything I can help you with?

Ethiraric avatar Sep 25 '24 15:09 Ethiraric

@Ethiraric I forgot about this PR. I'll squeeze some time in this week to see if there's anything I can address on my end to get the build passing.

SleeplessOne1917 avatar Sep 25 '24 16:09 SleeplessOne1917