Unmaintained advisory for humantime #2249
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This one seems tricky due to the large numbers of downstream dependencies (I see For starters, it would probably be good to open an issue on |
|
@tarcieri Agreed. I made a simple PR to |
|
Another alternative to https://docs.rs/jiff/latest/jiff/fmt/friendly/index.html#comparison-with-the-humantime-crate |
This was referenced Mar 8, 2025
|
|
|
It would be good to wait for a This is another big user of |
|
@tarcieri I just opened PR to fix |
|
Analysis of some more
|
|
|
|
PR about switching |
github-merge-queue bot
pushed a commit
to rust-lang/cargo
that referenced
this pull request
Mar 10, 2025
<!-- Thanks for submitting a pull request 🎉! Here are some tips for you: * If this is your first contribution, read "Cargo Contribution Guide" first: https://doc.crates.io/contrib/ * Run `cargo fmt --all` to format your code changes. * Small commits and pull requests are always preferable and easy to review. * If your idea is large and needs feedback from the community, read how: https://doc.crates.io/contrib/process/#working-on-large-features * Cargo takes care of compatibility. Read our design principles: https://doc.crates.io/contrib/design.html * When changing help text of cargo commands, follow the steps to generate docs: https://github.com/rust-lang/cargo/tree/master/src/doc#building-the-man-pages * If your PR is not finished, set it as "draft" PR or add "WIP" in its title. * It's ok to use the CI resources to test your PR, but please don't abuse them. ### What does this PR try to resolve? Explain the motivation behind this change. A clear overview along with an in-depth explanation are helpful. You can use `Fixes #<issue number>` to associate this PR to an existing issue. ### How should we test and review this PR? Demonstrate how you test this change and guide reviewers through your PR. With a smooth review process, a pull request usually gets reviewed quicker. If you don't know how to write and run your tests, please read the guide: https://doc.crates.io/contrib/tests ### Additional information Other information you want to mention in this PR, such as prior arts, future extensions, an unresolved problem, or a TODO list. --> The crate [`humantime`](https://crates.io/crates/humantime) appears to be unmaintained. There's open PR in RustSec's advisory-db about this: rustsec/advisory-db#2249 The crates [`clap`](https://crates.io/crates/clap) and [`env_logger`](https://crates.io/crates/env_logger) have already made the switch from `humantime` to [`jiff`](https://crates.io/crates/jiff): * clap-rs/clap#5944 * rust-cli/env_logger#352 The `jiff` crate is already dependency on `cargo` via `gix` (albeit old 0.1 version, but that's probably fixed in [next gix release](GitoxideLabs/gitoxide@3ae99a4)): ``` jiff v0.1.29 └── gix-date v0.9.3 ├── gix v0.70.0 │ └── cargo v0.88.0 (/Users/oherrala/rust/cargo) ``` This PR shouldn't have any functional change to cargo itself.
|
@tarcieri |
|
Cool. Edit: oh hey, I guess |
tarcieri
approved these changes
Mar 10, 2025
This was referenced Mar 11, 2025
cratelyn
added a commit
to linkerd/linkerd2-proxy
that referenced
this pull request
Mar 12, 2025
this commit replaces `humantime`, which is no longer maintained, with `jiff`. see this error when `main` today is built: ``` error[unmaintained]: humantime is unmaintained ┌─ /linkerd/linkerd2-proxy/Cargo.lock:78:1 │ 78 │ humantime 2.1.0 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected │ ├ ID: RUSTSEC-2025-0014 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0014 ├ Latest `humantime` crates.io release is four years old and GitHub repository has not seen commits in four years. Question about maintenance status has not gotten any reaction from maintainer: chronotope/humantime#31 ## Possible alternatives * [jiff](https://crates.io/crates/jiff) provides same kind of functionality ├ Announcement: chronotope/humantime#31 ├ Solution: No safe upgrade is available! ├ humantime v2.1.0 └── linkerd-http-access-log v0.1.0 └── linkerd-app-inbound v0.1.0 ├── linkerd-app v0.1.0 │ ├── linkerd-app-integration v0.1.0 │ └── linkerd2-proxy v0.1.0 ├── linkerd-app-admin v0.1.0 │ ├── linkerd-app v0.1.0 (*) │ └── (dev) linkerd-app-integration v0.1.0 (*) └── linkerd-app-gateway v0.1.0 └── linkerd-app v0.1.0 (*) advisories FAILED, bans ok, licenses ok, sources ok ``` see: * rustsec/advisory-db#2249. * chronotope/humantime#31. Signed-off-by: katelyn martin <kate@buoyant.io>
cratelyn
added a commit
to linkerd/linkerd2-proxy
that referenced
this pull request
Mar 12, 2025
this commit replaces `humantime`, which is no longer maintained, with `jiff`. see this error when `main` today is built: ``` error[unmaintained]: humantime is unmaintained ┌─ /linkerd/linkerd2-proxy/Cargo.lock:78:1 │ 78 │ humantime 2.1.0 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected │ ├ ID: RUSTSEC-2025-0014 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0014 ├ Latest `humantime` crates.io release is four years old and GitHub repository has not seen commits in four years. Question about maintenance status has not gotten any reaction from maintainer: chronotope/humantime#31 ## Possible alternatives * [jiff](https://crates.io/crates/jiff) provides same kind of functionality ├ Announcement: chronotope/humantime#31 ├ Solution: No safe upgrade is available! ├ humantime v2.1.0 └── linkerd-http-access-log v0.1.0 └── linkerd-app-inbound v0.1.0 ├── linkerd-app v0.1.0 │ ├── linkerd-app-integration v0.1.0 │ └── linkerd2-proxy v0.1.0 ├── linkerd-app-admin v0.1.0 │ ├── linkerd-app v0.1.0 (*) │ └── (dev) linkerd-app-integration v0.1.0 (*) └── linkerd-app-gateway v0.1.0 └── linkerd-app v0.1.0 (*) advisories FAILED, bans ok, licenses ok, sources ok ``` see: * rustsec/advisory-db#2249. * chronotope/humantime#31. Signed-off-by: katelyn martin <kate@buoyant.io>
cratelyn
added a commit
to linkerd/linkerd2-proxy
that referenced
this pull request
Mar 12, 2025
this commit replaces `humantime`, which is no longer maintained, with `jiff`. see this error when `main` today is built: ``` error[unmaintained]: humantime is unmaintained ┌─ /linkerd/linkerd2-proxy/Cargo.lock:78:1 │ 78 │ humantime 2.1.0 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected │ ├ ID: RUSTSEC-2025-0014 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0014 ├ Latest `humantime` crates.io release is four years old and GitHub repository has not seen commits in four years. Question about maintenance status has not gotten any reaction from maintainer: chronotope/humantime#31 ## Possible alternatives * [jiff](https://crates.io/crates/jiff) provides same kind of functionality ├ Announcement: chronotope/humantime#31 ├ Solution: No safe upgrade is available! ├ humantime v2.1.0 └── linkerd-http-access-log v0.1.0 └── linkerd-app-inbound v0.1.0 ├── linkerd-app v0.1.0 │ ├── linkerd-app-integration v0.1.0 │ └── linkerd2-proxy v0.1.0 ├── linkerd-app-admin v0.1.0 │ ├── linkerd-app v0.1.0 (*) │ └── (dev) linkerd-app-integration v0.1.0 (*) └── linkerd-app-gateway v0.1.0 └── linkerd-app v0.1.0 (*) advisories FAILED, bans ok, licenses ok, sources ok ``` see: * rustsec/advisory-db#2249. * chronotope/humantime#31. Signed-off-by: katelyn martin <kate@buoyant.io>
cratelyn
added a commit
to linkerd/linkerd2-proxy
that referenced
this pull request
Mar 12, 2025
this commit replaces `humantime`, which is no longer maintained, with `jiff`. see this error when `main` today is built: ``` error[unmaintained]: humantime is unmaintained ┌─ /linkerd/linkerd2-proxy/Cargo.lock:78:1 │ 78 │ humantime 2.1.0 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected │ ├ ID: RUSTSEC-2025-0014 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0014 ├ Latest `humantime` crates.io release is four years old and GitHub repository has not seen commits in four years. Question about maintenance status has not gotten any reaction from maintainer: chronotope/humantime#31 ## Possible alternatives * [jiff](https://crates.io/crates/jiff) provides same kind of functionality ├ Announcement: chronotope/humantime#31 ├ Solution: No safe upgrade is available! ├ humantime v2.1.0 └── linkerd-http-access-log v0.1.0 └── linkerd-app-inbound v0.1.0 ├── linkerd-app v0.1.0 │ ├── linkerd-app-integration v0.1.0 │ └── linkerd2-proxy v0.1.0 ├── linkerd-app-admin v0.1.0 │ ├── linkerd-app v0.1.0 (*) │ └── (dev) linkerd-app-integration v0.1.0 (*) └── linkerd-app-gateway v0.1.0 └── linkerd-app v0.1.0 (*) advisories FAILED, bans ok, licenses ok, sources ok ``` see: * rustsec/advisory-db#2249. * chronotope/humantime#31. Signed-off-by: katelyn martin <kate@buoyant.io>
cratelyn
added a commit
to linkerd/linkerd2-proxy
that referenced
this pull request
Mar 12, 2025
this commit replaces `humantime`, which is no longer maintained, with `jiff`. see this error when `main` today is built: ``` error[unmaintained]: humantime is unmaintained ┌─ /linkerd/linkerd2-proxy/Cargo.lock:78:1 │ 78 │ humantime 2.1.0 registry+https://github.com/rust-lang/crates.io-index │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected │ ├ ID: RUSTSEC-2025-0014 ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0014 ├ Latest `humantime` crates.io release is four years old and GitHub repository has not seen commits in four years. Question about maintenance status has not gotten any reaction from maintainer: chronotope/humantime#31 ## Possible alternatives * [jiff](https://crates.io/crates/jiff) provides same kind of functionality ├ Announcement: chronotope/humantime#31 ├ Solution: No safe upgrade is available! ├ humantime v2.1.0 └── linkerd-http-access-log v0.1.0 └── linkerd-app-inbound v0.1.0 ├── linkerd-app v0.1.0 │ ├── linkerd-app-integration v0.1.0 │ └── linkerd2-proxy v0.1.0 ├── linkerd-app-admin v0.1.0 │ ├── linkerd-app v0.1.0 (*) │ └── (dev) linkerd-app-integration v0.1.0 (*) └── linkerd-app-gateway v0.1.0 └── linkerd-app v0.1.0 (*) advisories FAILED, bans ok, licenses ok, sources ok ``` see: * rustsec/advisory-db#2249. * chronotope/humantime#31. Signed-off-by: katelyn martin <kate@buoyant.io>
EliahKagan
added a commit
to EliahKagan/gitoxide
that referenced
this pull request
Mar 18, 2025
The `huamntime` crate briefly had unmaintained status, for which RUSTSEC-2025-0014. It has since become maintained again, and that advisory has been withdrawn, so this removes it from the list of advisores we allow `cargo deny` to ignore. Background: - https://rustsec.org/advisories/RUSTSEC-2025-0014.html (advisory) - rustsec/advisory-db#2249 (issued) - rustsec/advisory-db#2252 (withdrawn) - cf7f34d in GitoxideLabs#1882 (commit that ignored it, among other changes)
EliahKagan
added a commit
to EliahKagan/gitoxide
that referenced
this pull request
Mar 18, 2025
The `humantime` crate briefly had unmaintained status, for which RUSTSEC-2025-0014 was issued. It has since become maintained again, and that advisory has been withdrawn. So this removes it from the list of advisores we allow `cargo deny` to ignore. Background: - https://rustsec.org/advisories/RUSTSEC-2025-0014.html (advisory) - rustsec/advisory-db#2249 (issued) - rustsec/advisory-db#2252 (withdrawn) - cf7f34d in GitoxideLabs#1882 (commit that ignored it, among other changes)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Last crates.io release 2021-01-13 and no GitHub commits since 2021-12-28.
Question about maintenance status posted 2022-08-04 with no answer from maintainer: chronotope/humantime#31
This crate has some big dependents like
clap(with 20309 dependents) andenv_logger(with 8090 dependents).Update 2025-03-10:
env_logger0.11.7 droppedhumantimedependency in favor ofjiff.