Clap: yaml-rust dependency is outdated

Created on 23 Nov 2018  路  13Comments  路  Source: clap-rs/clap

Affected Version of clap

2.32.0

Bug or Feature Request Summary

The latest version of yaml-rust is currently:

yaml-rust = "0.4.2"

The version clap is depending on is:

yaml-rust = { version = "0.3.5", optional = true }

An update would be appreciated!

duplicate
Source
picture kpcyrd
👍7

Most helpful comment

I'd suggest we fork 0.3 and upload it to crates.io ourselves. I'll probably do that this afternoon.

Thanks for the reminder on this btw. I've been pretty swamped at work the last 2 months :weary:

picture spacekookie on 7 May 2019
👍2

All 13 comments

$cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 17 security advisories (from /home/ubuntu/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (311 crate dependencies)
error: Vulnerable crates found!

ID:      RUSTSEC-2018-0006
Crate:   yaml-rust
Version: 0.3.5
Date:    2018-09-17
URL:     https://github.com/chyh1990/yaml-rust/pull/109
Title:   Uncontrolled recursion leads to abort in deserialization
Solution: upgrade to: >= 0.4.1

error: 1 vulnerability found!
hashmap picture hashmap on 18 Dec 2018
👍2

Wait, why did this get reverted? :( Should the issue be reopened?

ErichDonGubler picture ErichDonGubler on 27 Mar 2019

Just to bring everybody up to speed. Yes, the PR that fixed this issue was reverted. The description explains in detail why (https://github.com/clap-rs/clap/pull/1439)

I have opened https://github.com/chyh1990/yaml-rust/issues/126 which would allow me to merge a backported patch that mitigates this vulnerability to 0.3.x. Then they could publish a new patch version that we pin to :tada:

spacekookie picture spacekookie on 28 Mar 2019
1

Wonderful explanation! Thank you. :)

ErichDonGubler picture ErichDonGubler on 28 Mar 2019

@spacekookie yaml-rust doesn't seem actively maintained, or at least I don't see your request getting any attention. Alternatives?

gedigi picture gedigi on 7 May 2019

I'd suggest we fork 0.3 and upload it to crates.io ourselves. I'll probably do that this afternoon.

Thanks for the reminder on this btw. I've been pretty swamped at work the last 2 months :weary:

spacekookie picture spacekookie on 7 May 2019
👍2

Thanks a lot. Is there anything I can do to help? I don鈥檛 have much experience dealing with crates.io.

gedigi picture gedigi on 7 May 2019

Closing due to inactivity. Honestly, I don't think we should fix it unless we have the patch backported to rust-yaml 0.3

CreepySkeleton picture CreepySkeleton on 1 Feb 2020

If yaml support is unmaintained, can you please drop the dependency as a whole?

kpcyrd picture kpcyrd on 1 Feb 2020

How would you expect us to drop it from 2.33? That would be a breaking change.

Also, like I said, there's no much point in this fix for clap anyway.

CreepySkeleton picture CreepySkeleton on 1 Feb 2020

I didn't file the issue due to security issues but because we have to carry a patch for clap downstream: https://salsa.debian.org/rust-team/debcargo-conf/blob/master/src/clap/debian/patches/relax-dep-versions.patch

Closing the issue doesn't make the dependency less outdated.

kpcyrd picture kpcyrd on 1 Feb 2020

We have a duplicate at #1569. Please follow there.

pksunkara picture pksunkara on 1 Feb 2020

@kpcyrd for clarity, the reason we can't bump rust-yaml to 0.4 is because some types from this crate are part of clap's API. If we actually do the bump, that would be s breaking change for users relying on them.

We did bump in the new-coming clap 3.0 but clap 2.x is going to have to stay on rust-yaml 0.3.x

CreepySkeleton picture CreepySkeleton on 2 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

joshtriplett picture joshtriplett  路  75Comments
jojva picture jojva  路  18Comments
Walther picture Walther  路  22Comments
neysofu picture neysofu  路  41Comments
pickfire picture pickfire  路  21Comments