We're running cargo-deny
regularly to check for security advisories. It has flagged a couple of problems in recent months and I don't think we found a good way of dealing with this kind of problems.
In the past we worked with authors on fixes but in this case it's a dep of a dep of a dep and it'd mean prodding a couple of projects and so far the experience isn't the best since in general some projects are unmaintained and others are huge and can't be updated quickly enough.
As a current example, warp
eventually depends on generic-array v0.12.3
which suffers from RUSTSEC-2020-0146:
generic-array v0.12.3
βββ block-buffer v0.7.3
β βββ sha-1 v0.8.2
β βββ headers v0.3.3
β βββ warp v0.3.0
Instead of waiting for a new release of warp
(which would need to use unreleased headers
which would hopefully use sha-1 v0.9
), is there something simpler that we can do?
It looks like patching in Cargo.toml
would only work if we had a local copy of e.g. sha-1
since it isn't possible to patch within the same source. Once we have a local fork, we'd need to remember to get rid of it once the upstream is fixed.
In a commercial environment how do you deal with these situations? Wait for a fix, fork a local version and use patch
or something else? What is your workflow?