Skip to content

Comments

Fix advisory#652

Merged
dfaust merged 2 commits intonotify-rs:mainfrom
BenjaminBrienen:fix-advisory
Nov 10, 2024
Merged

Fix advisory#652
dfaust merged 2 commits intonotify-rs:mainfrom
BenjaminBrienen:fix-advisory

Conversation

@BenjaminBrienen
Copy link
Contributor

@BenjaminBrienen BenjaminBrienen commented Nov 10, 2024
edited
Loading

Fixes a security advisory. instant is no longer maintained, but there is a drop-in replacement.
image

@dfaust
Copy link
Member

dfaust commented Nov 10, 2024

Thanks. Can you please add a changelog entry:

## notify-types 2.0.0 (unreleased)

- CHANGE: replace instant crate with web-time **breaking**

@bushrat011899
Copy link

bushrat011899 commented Nov 10, 2024

Just calling out that instant is BSD-3-Clause licenced, while web-time is MIT/Apache-2.0. I don't know if that's an issue for this project (came here from Bevy) but wanted to make sure everyone's aware.

@dfaust
Copy link
Member

dfaust commented Nov 10, 2024

@bushrat011899 Thanks for the info. But I don't see an issue with MIT/Apache-2.0.

@dfaust dfaust mentioned this pull request Nov 10, 2024
Closed
@dfaust
Copy link
Member

dfaust commented Nov 10, 2024

@bushrat011899 Is there a Bevy issue related to this?

@bushrat011899
Copy link

bushrat011899 commented Nov 10, 2024

@dfaust no @BenjaminBrienen just noticed it and let us know on the Discord. They're very quick with this stuff haha.

@BenjaminBrienen
Copy link
Contributor Author

BenjaminBrienen commented Nov 10, 2024

@dfaust done! let me know if it is in the wrong spot or something.

@dfaust dfaust merged commit deb3427 into notify-rs:main Nov 10, 2024
@dfaust
Copy link
Member

dfaust commented Nov 10, 2024

Thanks

@BenjaminBrienen BenjaminBrienen deleted the fix-advisory branch November 10, 2024 21:51
@hyf0 hyf0 mentioned this pull request Nov 11, 2024
Closed
zydou pushed a commit to zydou/arti that referenced this pull request Nov 12, 2024
@gabi-250
cargo_audit: Temporarily ignore RUSTSEC-2024-0384.
58d5110 
We depend on `instant`, which is unmaintained, via `notify`.

`notify` switched over to [`web-time`], but hasn't relased the change
yet, so we need to ignore the advisory for now.

[`web-time`]: notify-rs/notify#652
@cakebaker cakebaker mentioned this pull request Nov 18, 2024
Closed
1 task
@andriyDev andriyDev mentioned this pull request Nov 22, 2024
Closed
@max-sixty max-sixty mentioned this pull request Dec 9, 2024
Closed
@sanpii sanpii mentioned this pull request Dec 19, 2024
Closed
@extrawurst
Copy link
Contributor

extrawurst commented Jan 10, 2025

@dfaust can this be released (notify-types and notify) to be able to move away from the security advisory?

@dfaust
Copy link
Member

dfaust commented Jan 10, 2025

notify-8.0.0 has just been released!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@BenjaminBrienen @dfaust @bushrat011899 @extrawurst