Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable to GHSA-g98v-hv3f-hcfr #18

Open
jszwedko opened this issue Oct 27, 2023 · 0 comments · May be fixed by #19
Open

Vulnerable to GHSA-g98v-hv3f-hcfr #18

jszwedko opened this issue Oct 27, 2023 · 0 comments · May be fixed by #19

Comments

@jszwedko
Copy link

Hey all,

I discovered this crate is vulnerable to GHSA-g98v-hv3f-hcfr via a dependency on atty:

atty v0.2.14
└── clap v2.34.0
    └── structopt v0.3.26
        └── prettydiff v0.6.5 (/private/tmp/prettydiff)

atty seems to be unmaintained. clap has swapped out its dependency in clap-rs/clap#4249 but this crate depends on an old version via structopt, which itself is deprecated in-lieu of newer versions of clap.

I recognize this is probably pretty low priority, but has there been any thought to migrate to clap to get rid of the dependency on structopt?

Thank you!
@jszwedko jszwedko mentioned this issue Oct 27, 2023
Open
jszwedko added a commit to vectordotdev/vrl that referenced this issue Dec 1, 2023
@jszwedko
chore(deps): Remove prettydiff cli feature
8d216e1 
We don't seem to be using it and it causes a vulnerability to be flagged due to a dependency on an
old version of clap that depends on the unmaintained atty.

romankoblov/prettydiff#18

Signed-off-by: Jesse Szwedko <jesse.szwedko@datadoghq.com>
@jszwedko jszwedko mentioned this issue Dec 1, 2023
Merged
github-merge-queue bot pushed a commit to vectordotdev/vrl that referenced this issue Dec 4, 2023
@jszwedko
chore(deps): Remove prettydiff cli feature (#584)
f84565d 
* chore(deps): Remove prettydiff cli feature

We don't seem to be using it and it causes a vulnerability to be flagged due to a dependency on an
old version of clap that depends on the unmaintained atty.

romankoblov/prettydiff#18

Signed-off-by: Jesse Szwedko <jesse.szwedko@datadoghq.com>

* regenerate licenses

Signed-off-by: Jesse Szwedko <jesse.szwedko@datadoghq.com>

---------

Signed-off-by: Jesse Szwedko <jesse.szwedko@datadoghq.com>
@KisaragiEffective KisaragiEffective linked a pull request Dec 4, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(deps): replace ansi_term with owo_colors KisaragiEffective/prettydiff
1 participant
@jszwedko