cargo-deny regularly to check for security advisories. It has flagged a couple of problems in recent months and I don't think we found a good way of dealing with this kind of problems.
In the past we worked with authors on fixes but in this case it's a dep of a dep of a dep and it'd mean prodding a couple of projects and so far the experience isn't the best since in general some projects are unmaintained and others are huge and can't be updated quickly enough.
As a current example,
warp eventually depends on
generic-array v0.12.3 which suffers from RUSTSEC-2020-0146:
generic-array v0.12.3 ├── block-buffer v0.7.3 │ └── sha-1 v0.8.2 │ └── headers v0.3.3 │ └── warp v0.3.0
Instead of waiting for a new release of
warp (which would need to use unreleased
headers which would hopefully use
sha-1 v0.9), is there something simpler that we can do?
It looks like patching in
Cargo.toml would only work if we had a local copy of e.g.
sha-1 since it isn't possible to patch within the same source. Once we have a local fork, we'd need to remember to get rid of it once the upstream is fixed.
In a commercial environment how do you deal with these situations? Wait for a fix, fork a local version and use
patch or something else? What is your workflow?