You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The fuel-core project uses yanked dependencies like pest@2.60 and hermit-abi@0.3.1. Furthermore, the fuel-vm and fuel-core projects both depend on the unmaintained library atty with soundness issues on Windows.
Recommendations
Short term, run cargo update which will update the yanked dependencies. Additionally, upgrade criterion to 0.5 across the projects. Unfortunately, datatest-stable has a transitive dependency on atty which can not be avoided until a new version of datatest-stable is released.
Long term, run cargo-audit in the CI and report its output. Note, that the cargo-audit tool scans the Cargo.lock file which includes false-positives due to optional dependencies.
The text was updated successfully, but these errors were encountered:
We run cargo update before the publishing of a new release of fuel-core. But it is not required action and is done manually. Maybe we can automate it somehow.
Description
The fuel-core project uses yanked dependencies like pest@2.60 and hermit-abi@0.3.1. Furthermore, the fuel-vm and fuel-core projects both depend on the unmaintained library atty with soundness issues on Windows.
Recommendations
Short term, run cargo update which will update the yanked dependencies. Additionally, upgrade criterion to 0.5 across the projects. Unfortunately, datatest-stable has a transitive dependency on atty which can not be avoided until a new version of datatest-stable is released.
Long term, run cargo-audit in the CI and report its output. Note, that the cargo-audit tool scans the Cargo.lock file which includes false-positives due to optional dependencies.
The text was updated successfully, but these errors were encountered: