Skip to content

chore: add audit.toml to ignore known unmaintained crates#3570

Merged
vicsn merged 4 commits intoProvableHQ:stagingfrom
joske:audit
Jun 5, 2025
Merged

chore: add audit.toml to ignore known unmaintained crates#3570
vicsn merged 4 commits intoProvableHQ:stagingfrom
joske:audit

Conversation

@joske
Copy link
Copy Markdown
Contributor

@joske joske commented Apr 2, 2025
edited
Loading

Motivation

cargo audit complains that ansi_term and paste crates are unmaintained.

For paste: As the rust community considers this 'done', we can safely ignore this warning.
For ansi_term: Crate was unmaintained for 4 years. Removed this dependency.

Test Plan

no actual code changes

@joske
Copy link
Copy Markdown
Contributor Author

joske commented Apr 2, 2025

@niklaslong could you review? I can't set reviewers it seems.

@niklaslong
Copy link
Copy Markdown
Collaborator

niklaslong commented Apr 2, 2025

I think this is a reasonable approach to take, though we should be very strict with the advisories we choose to include here. It might also be a good practice to periodically review this list. Could you also add comments to the file explaining why each advisory is ignored and perhaps link to relevant discussions?

@niklaslong niklaslong requested review from raychu86 and vicsn April 2, 2025 10:40
@joske
Copy link
Copy Markdown
Contributor Author

joske commented Apr 2, 2025

Absolutely, we should think hard about adding anything to this list. There exists a fork of paste called pastey that is supposedly drop-in, but I'd be more weary to change to that than to just keep paste.

@vicsn vicsn requested a review from kaimast April 2, 2025 16:27
@niklaslong
Copy link
Copy Markdown
Collaborator

niklaslong commented Apr 3, 2025

I'd be more weary to change to that than to just keep paste.

Agreed! 👍

@kaimast
Copy link
Copy Markdown
Contributor

kaimast commented Apr 7, 2025
edited
Loading

Looks good to me!

Should we create an issue for each unmaintained dependency, so we don't forget about it?

For ansi_term it looks like we would need to upgrade tracing-test, which might be good anyway because it should get rid of the dependency on tracing-subscriber 0.2 (snarkOS also depends on 0.3)

kaimast
kaimast previously approved these changes Apr 7, 2025
View reviewed changes
@vicsn
Copy link
Copy Markdown
Collaborator

vicsn commented Apr 8, 2025

For ansi_term it looks like we would need to upgrade tracing-test, which might be good anyway because it should get rid of the dependency on tracing-subscriber 0.2 (snarkOS also depends on 0.3)

@joske We should indeed just try to get rid of ansi_term, its use seems to be limited. Then we can remove that from the ignore list.

Can you also add a CI job which runs cargo audit? Also for snarkVM?

Should we create an issue for each unmaintained dependency, so we don't forget about it?

And yes we can make an issue to track the situation of the paste dependency...

@joske joske force-pushed the audit branch 3 times, most recently from 7365dd7 to 9b29f7f Compare April 9, 2025 07:47
@joske
Copy link
Copy Markdown
Contributor Author

joske commented Apr 9, 2025

@vicsn (github) workflow added. It will fail on any warning.

@joske
Copy link
Copy Markdown
Contributor Author

joske commented Apr 9, 2025

Apparently tokio should be upgraded to 1.42.2. Should probably be another PR?

@joske joske force-pushed the audit branch 2 times, most recently from 1a2cfde to 5e9ed77 Compare April 11, 2025 08:55
@joske
Copy link
Copy Markdown
Contributor Author

joske commented Apr 11, 2025

ansi_term dep removed.

vicsn
vicsn reviewed Apr 11, 2025
View reviewed changes
@joske
Copy link
Copy Markdown
Contributor Author

joske commented Apr 11, 2025

BTW, the audit workflow will fail until the cargo update PRs are merged (#3589 and the relevant one in snarkVM).

@joske joske force-pushed the audit branch 2 times, most recently from 13fb16c to 55c3111 Compare April 28, 2025 14:07
niklaslong
niklaslong reviewed Apr 28, 2025
View reviewed changes
niklaslong
niklaslong reviewed Apr 28, 2025
View reviewed changes
niklaslong
niklaslong reviewed Apr 28, 2025
View reviewed changes
kaimast
kaimast previously requested changes May 28, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@kaimast kaimast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's move the audit action to CircleCI, and then we can merge it.

@kaimast kaimast dismissed their stale review June 4, 2025 22:21

Updated it myself.

@kaimast
Copy link
Copy Markdown
Contributor

kaimast commented Jun 4, 2025

I changed this PR to use CircleCI. It should be ready to merge, but I will not do it myself as I made changes.

@kaimast kaimast requested a review from niklaslong June 4, 2025 22:22
@kaimast kaimast mentioned this pull request Jun 4, 2025
Merged
@kaimast kaimast force-pushed the audit branch 4 times, most recently from e776737 to 11411c9 Compare June 4, 2025 22:38
@vicsn vicsn merged commit 84b0737 into ProvableHQ:staging Jun 5, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vicsn vicsn vicsn approved these changes

@kaimast kaimast kaimast left review comments

@raychu86 raychu86 Awaiting requested review from raychu86

@niklaslong niklaslong Awaiting requested review from niklaslong

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@joske @niklaslong @kaimast @vicsn