serde_valid icon indicating copy to clipboard operation
serde_valid copied to clipboard
verified publisher icon yassun7010

dependency paste - no longer maintained

Open itcreator opened this issue 5 months ago • 4 comments

I run deny to check my project, and it leads to error

cargo deny check advisories

error[unmaintained]: paste - no longer maintained
    ┌─ /home/................................................/Cargo.lock:218:1
    │
218 │ paste 1.0.15 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected
    │
    ├ ID: RUSTSEC-2024-0436
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0436
    ├ The creator of the crate `paste` has stated in the [`README.md`](https://github.com/dtolnay/paste/blob/master/README.md) 
      that this project is not longer maintained as well as archived the repository
      
      ## Possible Alternative(s)
      
      - [pastey](https://crates.io/crates/pastey), a fork of paste and is aimed to be a drop-in replacement with additional features for paste crate
    ├ Announcement: https://github.com/dtolnay/paste
    ├ Solution: No safe upgrade is available!
    ├ paste v1.0.15
      ├── serde_valid v1.0.5
      
...

advisories FAILED

looks like this dependency should be replaced with pastey

How to install deny:

RUN cargo install --locked cargo-deny

https://crates.io/crates/cargo-deny

itcreator avatar Aug 06 '25 21:08 itcreator

I recieved a similar issue in serde_yaml, but I'm not sure if pastey is really the right choice as a replacement for the new crate.

If it's just a warning that it's not being maintained, I'd like to wait and see how things develop.

ya7010 avatar Aug 13 '25 07:08 ya7010

Maintainer declared that pastey is the fork of paste and is aimed to be a drop-in replacement with additional features for paste crate Looks like will be enough to change cargo.toml

itcreator avatar Aug 13 '25 12:08 itcreator

serde_valid has tests. And looks like it has pretty good code coverage. Will it be enough to be sure that it works?

itcreator avatar Aug 13 '25 12:08 itcreator

Maintainer declared that pastey is the fork of paste and is aimed to be a drop-in replacement with additional features for paste crate Looks like will be enough to change cargo.toml

Even if the mentainer declares that it will be so, there is no guarantee that it will actually be as declared. Like the case of XZ Utils, there are maintainers who, after behaving correctly for many years, suddenly install backdoors.

It will take time for him to succeed in gaining the support of many users and fostering a community as a successor library. I have no intention of moving at this point.

ya7010 avatar Aug 13 '25 13:08 ya7010