RUSTSEC-2021-0139: ansi_term is Unmaintained

[github-actions]

ansi_term is Unmaintained

Details
Status	unmaintained
Package	ansi_term
Version	0.12.1
URL	ogham/rust-ansi-term#72
Date	2021-08-18

The maintainer has adviced this crate is deprecated and will not
receive any maintenance.

The crate does not seem to have much dependencies and may or may not be ok to use as-is.

Last release seems to have been three years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

• anstyle
• nu-ansi-term
• yansi

See advisory page for additional details.

[mrl5]

dependency chain for ansi_term is:

• ansi_term pulled byclap-2.34.0:

  vulner/Cargo.lock

  Lines 154 to 160 in 2f585d7

  	[[package]]
  	name = "clap"
  	version = "2.34.0"
  	source = "registry+https://github.com/rust-lang/crates.io-index"
  	checksum = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c"
  	dependencies = [
  	"ansi_term",

• clap-2.34.0 pulled by structopt-0.3.26:

  vulner/Cargo.lock

  Lines 1582 to 1588 in 5beafc0

  	[[package]]
  	name = "structopt"
  	version = "0.3.26"
  	source = "registry+https://github.com/rust-lang/crates.io-index"
  	checksum = "0c6b5c64445ba8094a6ab0c3cd2ad323e07171012d9c98b0b15651daf1787a10"
  	dependencies = [
  	"clap",

• structopt-0.3.26 is direct vulner dependency in cli crate:

  vulner/Cargo.lock

  Lines 182 to 199 in 5beafc0

  	[[package]]
  	name = "cli"
  	version = "0.4.0"
  	dependencies = [
  	"atty",
  	"chrono",
  	"confy",
  	"cpe-tag",
  	"env_logger",
  	"log",
  	"once_cell",
  	"os-adapter",
  	"reqwest",
  	"security-advisories",
  	"serde",
  	"serde_json",
  	"sha2",
  	"structopt",

structopt is used here:

vulner/crates/cli/src/main.rs

Line 10 in 5beafc0

use structopt::{clap::AppSettings, StructOpt};

- introduced in commit 78b0d8d

clap stopped using ansi_term since version 3 but structopt-0.3.26 explicitly wants 2.34.0 version of clap

[mrl5]

this is blocked until structopt switches to clap-3 (because ansi_term is not used since clap-3)

if ansi_term will have some vulnerability periodic cargo security audit should detect it

[mrl5]

based on this answer: TeXitoi/structopt#528 (comment)

and this post: https://www.reddit.com/r/rust/comments/pkzde6/comment/hc7x5s7/

I guess in order to fix this issue structopt dependency should be replaced with clap-3

[epage]

We've tried to raise awareness of clap superseding `structopt

• Pinned issue
• Note on docs.rs

Technically, it is still somewhat maintained to a degree, so classifying it as unmaintained in rustsec probably isn't appropriate to raise visibility.

In general, I wish there was a way for a crate like structopt to communicate that the upgrade path is a different crate.

[mrl5]

thanks for clarification @epage - I appreciate it :) I guess eventually I will migrate from structopt to clap-3

[mrl5]

as per GHSA-74w3-p89x-ffgh

This advisory has been withdrawn because it does not discuss a particular vulnerability in the code of ansi_term.