Skip to content

RUSTSEC-2024-0436: paste is unmaintained (rmp) #365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kpcyrd opened this issue Mar 7, 2025 · 2 comments · May be fixed by #366
Open

RUSTSEC-2024-0436: paste is unmaintained (rmp) #365

kpcyrd opened this issue Mar 7, 2025 · 2 comments · May be fixed by #366

Comments

@kpcyrd
Copy link

kpcyrd commented Mar 7, 2025

hello!

I'm filing this well aware that this is not a security issue in itself (the crate is probably still good to use for now), but also wanted to document that rmp is currently pulling paste into the dependency tree that RUSTSEC-2024-0436 has been filed against.

I don't know what the crate does/did, so not sure how easy this is to change.

Cheers!
loqusion added a commit to loqusion/tower-sesh that referenced this issue Mar 8, 2025
@loqusion
ci: ignore RUSTSEC-2024-0436 (paste - no longer maintained)
0aea84f 
See: 3Hren/msgpack-rust#365
@jonasbb jonasbb mentioned this issue Mar 8, 2025
Closed
@V0ldek
Copy link

V0ldek commented Mar 10, 2025

Also wanted to flag this, this counts as a vulnerability for the purposes of tools such as cargo-deny. In my case it's not high severity since I only use rmp-serde as a dev-dependency, but if someone uses a similarly aggressive security policy on their crate as I do and has it as an actual dependency then their build just became broken.

dtolney didn't really leave any helpful notes behind, just a terse "no longer maintained" note so I don't know how to migrate this, it probably heavily depends on how this crate used paste.

@kpcyrd
Copy link
Author

kpcyrd commented Mar 11, 2025

In the meantime cargo-deny 0.18.2 has re-introduced:

[advisories]
unmaintained = "workspace"

To only fail the build if you depend on an unmaintained crate directly, which I think is a reasonable approach.

The update has been merged into Alpine edge just now: https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/80492

NikSneMC added a commit to NikSneMC/msgpack-rust that referenced this issue Apr 5, 2025
@NikSneMC
fix(rmp): use pastey instead of paste
f6eb178 
Closes 3Hren#365
@NikSneMC NikSneMC linked a pull request Apr 5, 2025 that will close this issue
Open
NikSneMC added a commit to NikSneMC/msgpack-rust that referenced this issue Apr 5, 2025
@NikSneMC
refactor(rmp): use pastey instead of paste
283f5c4 
Closes 3Hren#365
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor(rmp): use pastey instead of paste NikSneMC/msgpack-rust
2 participants
@kpcyrd @V0ldek