yaml-rust appears unmaintained... #1921
Comments
|
Stumbled onto https://crates.io/crates/yaml-rust2 / https://github.com/Ethiraric/yaml-rust2 yesterday... it forks from the latest commit on the original repository https://github.com/chyh1990/yaml-rust on 2021-07-12, and adds commits starting on 2023-08-14 and latest on 2024-02-08. I've done a quick review and appears to be functional and in good faith, but should have more people review and confirm.
|
|
Heya! It forks from one of the pull requests from the original I've also added a bunch of comments to the code, refactored some constructs and optimized so that the library should be faster than I have waited to produce real benchmark data before doing an announced release. I am fairly new to the art of benchmarking, and my last attempts at optimizing have failed, which is why there hasn't been any meaningful commit for a month now. As-is, I see no reason the code would be less functional than If there's anything I could help with, do feel free to open an issue or send me an e-mail (I'll add that to my profile in a second, but I have a gmail address whose local part is my username here). |
|
@davvid's https://crates.io/crates/yaml-rust-davvid is another fork that, to the best of my knowledge, is sincere. |
|
Yes, I'm relying on the availability of this functionality long-term so I'd be more than happy to help maintain a fork or swap over to a different fork. I wasn't aware of yaml-rust2, thanks for bringing that to my attention. |
|
I've had a look at the commits on @davvid's repository, and it seems that they are mostly focused on the output API and handling of |
|
@davvid Our repositories should have a common ancestor in the latest Would it be okay with you if I tried merging your commit tree into my repository? |
|
@Ethiraric that'd be great. I actually started on the merge before seeing your message and submitted the changes in a clean rebase over at Ethiraric/yaml-rust2#2 |
|
Thank you very much for your work on this pull request! I hope we can get it to merge cleanly soon ❤️ |
|
I just wanted to say that If someone would like to file an unmaintained crate advisory in advance, we can merge it when that time has elapsed. |
|
I'm linking these here so that folks landing here can see the full paper trail going back to 2020. I guess waiting another 3 months isn't really going to hurt (or change much) in that respect since we've already waited ~4 years. |
|
Aah, with chyh1990/yaml-rust#160 especially it seems clear this crate is unmaintained as the maintenance status has already been publicly asked about without response. Feel free to file an advisory then. It can be merged immediately. |
|
Using the latest https://crates.io/crates/yaml-rust2 results in https://osv.dev/RUSTSEC-2021-0153 |
|
@jayvdb that would be good to report on the |
|
Sorry this is a bit out of topic but I'll reply here. If I'm not mistaken, this refers to the |
|
Why can't yaml-rust2 take over the yaml-rust crate name? Updating the world to yaml-rust2 is going to be pretty painful. Lots of third-party crates will have to be patched, and there's the possibility of type mismatches while some crates are updated and others aren't. Also, dtolnay responded by marking serde_yaml as unmaintained :-(. |
|
@rocallahan the author is completely non-communicative per: |
|
A "takeover" causes more problems than it's worth. And that's even if it's 100% compatible. You have competing issues... on one hand you might be thinking: we gotta force everyone who depends on an old and unmaintained crate to upgrade for security reasons. Well (a) you can't because they might have chosen to depend on a specific old version, (b) if they didn't you might be introducing breakage, and (c) it's their problem if they depend on old and unmaintained crates... they still need to exist so the whole thing doesn't fail. Further, afaik cargo-audit is an aid to help inform authors and users about security issues... not enforce anyone's particular requirements. IMHO, the best way is as it is: Make a new crate, fork, whatever. Let crate authors depend on whichever crates/versions they want. Done. |
`yaml-rust` crate is unmaintained 1) `syntect` author won't update this dep to a fork of it due to lack of trust concerns with this new fork: trishume/syntect#526 2) cargo-deny produces this output: error[unmaintained]: yaml-rust is unmaintained. ┌─ /home/nazmul/github/r3bl-open-core/Cargo.lock:295:1 │ 295 │ yaml-rust 0.4.5 registry+https://github.com/rust-lang/crates.io-index │ --------------------------------------------------------------------- unmaintained advisory detected │ = ID: RUSTSEC-2024-0320 = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0320 = The maintainer seems [unreachable](chyh1990/yaml-rust#197). Many issues and pull requests have been submitted over the years without any [response](chyh1990/yaml-rust#160). ## Alternatives Consider switching to the actively maintained `yaml-rust2` fork of the original project: - [yaml-rust2](https://github.com/Ethiraric/yaml-rust2) - [yaml-rust2 @ crates.io](https://crates.io/crates/yaml-rust2)) = Announcement: rustsec/advisory-db#1921 = Solution: No safe upgrade is available! = yaml-rust v0.4.5 └── syntect v5.1.0 └── r3bl_tui v0.5.2 └── r3bl-cmdr v0.0.11
`yaml-rust` crate is unmaintained 1) `syntect` author won't update this dep to a fork of it due to lack of trust concerns with this new fork: trishume/syntect#526 2) cargo-deny produces this output: error[unmaintained]: yaml-rust is unmaintained. ┌─ /home/nazmul/github/r3bl-open-core/Cargo.lock:295:1 │ 295 │ yaml-rust 0.4.5 registry+https://github.com/rust-lang/crates.io-index │ --------------------------------------------------------------------- unmaintained advisory detected │ = ID: RUSTSEC-2024-0320 = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0320 = The maintainer seems [unreachable](chyh1990/yaml-rust#197). Many issues and pull requests have been submitted over the years without any [response](chyh1990/yaml-rust#160). ## Alternatives Consider switching to the actively maintained `yaml-rust2` fork of the original project: - [yaml-rust2](https://github.com/Ethiraric/yaml-rust2) - [yaml-rust2 @ crates.io](https://crates.io/crates/yaml-rust2)) = Announcement: rustsec/advisory-db#1921 = Solution: No safe upgrade is available! = yaml-rust v0.4.5 └── syntect v5.1.0 └── r3bl_tui v0.5.2 └── r3bl-cmdr v0.0.11
See also chyh1990/yaml-rust#197
The text was updated successfully, but these errors were encountered: