Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix advisory #652

Merged
merged 2 commits into from
Nov 10, 2024
Merged

Fix advisory #652

merged 2 commits into from
Nov 10, 2024
+7 −3

Conversation

BenjaminBrienen
Copy link
Contributor

@BenjaminBrienen BenjaminBrienen commented Nov 10, 2024
edited
Loading

Fixes a security advisory. instant is no longer maintained, but there is a drop-in replacement.
image

@dfaust
Copy link
Member

dfaust commented Nov 10, 2024

Thanks. Can you please add a changelog entry:

## notify-types 2.0.0 (unreleased)

- CHANGE: replace instant crate with web-time **breaking**

@bushrat011899
Copy link

Just calling out that instant is BSD-3-Clause licenced, while web-time is MIT/Apache-2.0. I don't know if that's an issue for this project (came here from Bevy) but wanted to make sure everyone's aware.

@dfaust
Copy link
Member

dfaust commented Nov 10, 2024

@bushrat011899 Thanks for the info. But I don't see an issue with MIT/Apache-2.0.

@dfaust dfaust mentioned this pull request Nov 10, 2024
Closed
@dfaust
Copy link
Member

dfaust commented Nov 10, 2024

@bushrat011899 Is there a Bevy issue related to this?

@bushrat011899
Copy link

@dfaust no @BenjaminBrienen just noticed it and let us know on the Discord. They're very quick with this stuff haha.

@BenjaminBrienen
Copy link
Contributor Author

@dfaust done! let me know if it is in the wrong spot or something.

@dfaust dfaust merged commit deb3427 into notify-rs:main Nov 10, 2024
1 check passed
@dfaust
Copy link
Member

dfaust commented Nov 10, 2024

Thanks

@BenjaminBrienen BenjaminBrienen deleted the fix-advisory branch November 10, 2024 21:51
@hyf0 hyf0 mentioned this pull request Nov 11, 2024
Open
zydou pushed a commit to zydou/arti that referenced this pull request Nov 12, 2024
@gabi-250
cargo_audit: Temporarily ignore RUSTSEC-2024-0384.
58d5110 
We depend on `instant`, which is unmaintained, via `notify`.

`notify` switched over to [`web-time`], but hasn't relased the change
yet, so we need to ignore the advisory for now.

[`web-time`]: notify-rs/notify#652
@cakebaker cakebaker mentioned this pull request Nov 18, 2024
Closed
1 task
@andriyDev andriyDev mentioned this pull request Nov 22, 2024
Open
@max-sixty max-sixty mentioned this pull request Dec 9, 2024
Closed
@sanpii sanpii mentioned this pull request Dec 19, 2024
Open
@extrawurst
Copy link
Contributor

@dfaust can this be released (notify-types and notify) to be able to move away from the security advisory?

@dfaust
Copy link
Member

dfaust commented Jan 10, 2025

notify-8.0.0 has just been released!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@BenjaminBrienen @dfaust @bushrat011899 @extrawurst