Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update futures-lite dependency to avoid pulling unmaintained crate instant #3

Open
kp-mariappan-ramasamy opened this issue Nov 11, 2024 · 1 comment · May be fixed by #5
Open

Update futures-lite dependency to avoid pulling unmaintained crate instant #3

kp-mariappan-ramasamy opened this issue Nov 11, 2024 · 1 comment · May be fixed by #5

Comments

@kp-mariappan-ramasamy
Copy link
Contributor

tokio-eventfd depends on older version of futures-lite, which depends on unmaintained instant crate.
The latest version of futures-lites->fastrand get rid of this dependency.

Found this while running cargo deny:

error[unmaintained]: `instant` is unmaintained
    ┌─ /github/workspace/Cargo.lock:117:1
    │
    │ -------------------------------------------------------------------- unmaintained advisory detected
    │
    = ID: RUSTSEC-2024-0384
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0384
    = This crate is no longer maintained, and the author recommends using the maintained [`web-time`] crate instead.
      
      [`web-time`]: https://crates.io/crates/web-time
    = Solution: No safe upgrade is available!
    = instant v0.1.13
      └── fastrand v1.9.0
          └── futures-lite v1.13.0
              └── tokio-eventfd v0.2.1
chadaustin added a commit to chadaustin/tokio-eventfd that referenced this issue Nov 19, 2024
futures-lite is only used for a convenience macro and it's easy enough
to inline it. This avoids pulling in futures-lite dependencies like
fastrand and waker-fn, reducing the need for security updates.

Separately, tokio's net feature is not needed, so remove it.

Fixes polachok#3
@chadaustin chadaustin linked a pull request Nov 19, 2024 that will close this issue
@kp-mariappan-ramasamy
Copy link
Contributor Author

Thanks @polachok for merging the PR.
Making a cargo release might be helpful to upgrade our deps.

chadaustin added a commit to chadaustin/tokio-eventfd that referenced this issue Dec 5, 2024
futures-lite is only used for a convenience macro and it's easy enough
to inline it. This avoids pulling in futures-lite dependencies like
fastrand and waker-fn, reducing the need for security updates.

Separately, tokio's net feature is not needed, so remove it.

Fixes polachok#3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant