new release?

[ImJeremyHe]

Is this repo still maintained?

[CAD97]

TL;DR is that @dragostis is busy with other obligations and pops in from time to time. I'm online a lot but don't have time to actively develop, just curate issues/PRs.

[ClementNerma]

TL;DR is that @dragostis is busy with other obligations and pops in from time to time. I'm online a lot but don't have time to actively develop, just curate issues/PRs.

There's only been ~80 commits in 2 whole years, so wouldn't it be a good idea to indicate in the README that the repository is looking for maintainers? This way more people may come to contribute to this repository :)

This is a really great project, it'd be unfortunate for it to not continue to improve over time.

[roy-work]

FYI, today¹ RUSTSEC-2020-0146 was released; pest is affected as it depends indirectly on the vulnerable version of generic-array:

└── pest_derive v2.1.0
    ├── pest v2.1.3 (*)
    └── pest_generator v2.1.1
        ├── pest v2.1.3 (*)
        ├── pest_meta v2.1.2
        │   ├── maplit v1.0.2
        │   └── pest v2.1.3 (*)
        │   [build-dependencies]
        │   └── sha-1 v0.8.1
        │       ├── block-buffer v0.7.3
        │       │   ├── block-padding v0.1.5
        │       │   │   └── byte-tools v0.3.1
        │       │   ├── byte-tools v0.3.1
        │       │   ├── byteorder v1.3.4
        │       │   └── generic-array v0.12.3  # crate w/ RUSTSEC
        │       │       └── typenum v1.12.0
        │       ├── digest v0.8.1
        │       │   └── generic-array v0.12.3 (*)

(It's not possible to simply upgrade generic-array in a project using pest here, as the fix is in 0.14, which is a breaking change.)

pest, here, would need to upgrade to sha-1 v0.9 or later. The good news is that it's already been done!; it just needs to be released.

_{1. Don't let the 2020 in RUSTSEC-2020-0146 fool you, it did in fact happen today.}

[MarinPostma]

This is affecting us at Meilisearch, we depend on a patch, and cannot vendor our package anymore. A release would be greatly appreciated. We can also help maintain this repo if need be.

[fmorency]

We're also affected by today's RustSec, and this package. Let us know how we can help. A new release would be appreciated!

[nilgoyette]

Same here.

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 251 security advisories (from /root/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (189 crate dependencies)
error: 1 vulnerability found!
Crate:         generic-array
Version:       0.12.4
Title:         arr! macro erases lifetimes
Date:          2020-04-09
ID:            RUSTSEC-2020-0146
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0146
Solution:      Upgrade to >=0.14.0
Dependency tree: 
generic-array 0.12.4

generic-array has been updated from 0.12.3 to 0.12.4 this morning but it doesn't fix this problem. Can you please fix this?

[nilgoyette]

Oups, I was 5 minutes too fast. The advisory -db has been updated. generic-array 0.12.4 does fix the problem.

[MaxBondABE]

@MarinPostma @fmorency You mentioned you may be interested in contributing to help create a new release. I'd like to bring your attention to this issue, where we are organizing a working group for that purpose.

#496

[tomtau]

#485

[CAD97]

Duplicate of #485

(So GitHub hopefully picks this up)

[tomtau]

It's here: #669