Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2020-0056: stdweb is unmaintained #4779

Closed
github-actions bot opened this issue Oct 6, 2022 · 5 comments
Closed

RUSTSEC-2020-0056: stdweb is unmaintained #4779

github-actions bot opened this issue Oct 6, 2022 · 5 comments
Assignees
@brianp
Labels
A-security Area - Security related C-depencies Category - Dependency update
Milestone
Stagenet Freeze

Comments

@github-actions
Copy link

github-actions bot commented Oct 6, 2022

stdweb is unmaintained

Details
Status unmaintained
Package stdweb
Version 0.4.20
URL koute/stdweb#403
Date 2020-05-04

The author of the stdweb crate is unresponsive.

Maintained alternatives:

See advisory page for additional details.
@stringhandler
Copy link
Collaborator

I don't see any references to this crate using cargo tree -i stdweb

@delta1
Copy link
Contributor

delta1 commented Nov 1, 2022
edited
Loading

It's behind features but cargo tree won't show it for some reason @stringhandler

You can see it in the lockfile

tari/Cargo.lock

Line 1791 in cd88484

"stdweb",

tari/Cargo.lock

Line 4388 in cd88484

name = "stdweb"

@stringhandler stringhandler reopened this Nov 1, 2022
@stringhandler
Copy link
Collaborator

ah thanks

@stringhandler
Copy link
Collaborator

Looks like it can be resolved by upgrading the rand crate. There are a number of crates that use this. It can be found with:
cargo tree -i getrandom:0.1.16

@stringhandler stringhandler added A-security Area - Security related C-depencies Category - Dependency update labels Nov 1, 2022
@stringhandler stringhandler added this to the Stagenet Freeze milestone Nov 1, 2022
@stringhandler stringhandler moved this to Selected for development in Tari Esme Testnet Nov 15, 2022
@brianp
Copy link
Contributor

brianp commented Nov 24, 2022

Although all getrandom packages have not been updated, the use of features requiring stdweb was removed in #4844 which removed stdweb from the dependency chain entirely.

This issue can be closed. Only leaving it open for visibility in standup.

@brianp brianp self-assigned this Nov 24, 2022
@brianp brianp moved this from Selected for development to In Review in Tari Esme Testnet Nov 24, 2022
@stringhandler stringhandler moved this from In Review to Done in Tari Esme Testnet Nov 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brianp brianp

Labels
A-security Area - Security related C-depencies Category - Dependency update
Projects
Tari Esme Testnet
Archived in project
Milestone
Stagenet Freeze
Development

No branches or pull requests
3 participants
@brianp @delta1 @stringhandler