-
Notifications
You must be signed in to change notification settings - Fork 365
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adler is archived #1992
Comments
24% of all crates on crates.io transitively depend on |
@fintelia How did you figure this out? |
You can divide "Used in 35,426 crates" (https://lib.rs/crates/adler) by "150,348 Crates in stock" (https://crates.io). To see the historical metric, |
Thanks, @dtolnay! |
Given that, it would probably make sense to work directly with those 9 crates, perhaps opening an issue if there isn't one already and linking it here, rather than immediately publishing an advisory for this (or at least, wait until it's been fixed upstream so the advisory is actionable, and that action is to update Cargo.lock) Otherwise, this is going to be a very noisy advisory with little actionable impact aside from those 9 crates, especially as we don't currently have ways of filtering out advisories for transitive dependencies. |
I think it is of note that of those 9 direct dependants
this leaves only |
I think this will be an interesting test case of whether it always makes sense to issue unmaintained advisories: The |
Archived repos effectively cant receive bug reports. Even more so when the owner of the repo appears to have intentionally stopped all activity here, in which case it is preferable to respect their decision and avoid contacting the maintainer except in a critical circumstance. |
As the maintainer of miniz_oxide I would be fine with forking it however ideally it would be nice if there was someone besides me that could help out maintaining it and miniz_oxide (or maybe moving it to an org or something). The situation around it is not really ideal at the moment as I'm the only maintainer at the moment as the actual owner of the miniz_oxide repo and other person with access rights has not had any activity since June last year so I don't know if they are even still around. |
@oyvindln alternatively you could vendor the relevant code and drop the dependency, since there don’t seem to be that many other users |
I guess I'll fork it then - I'd rather keep it separate since there are actually some other active users of it. |
Okay - I have made a fork called adler2: Will make an update to miniz_oxide soon with a semver bump that updates to using adler2 instead of adler if this looks fine. |
Also ping @jonas-schievink in case they are still watching github |
I've now also updated miniz_oxide to use adler2 - so main thing that remains is to update flate2 and backtrace to this version I guess |
https://crates.io/crates/adler has a lot of dependents, including https://github.com/rust-lang/backtrace-rs via https://github.com/Frommi/miniz_oxide .
See Frommi/miniz_oxide#148
https://github.com/jonas-schievink/adler was archived around 25 March 2024. Seems most of their repos were also archived.
https://github.com/jonas-schievink last commit was September 2023.
The text was updated successfully, but these errors were encountered: