Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore clap yaml-rust advisory #4611

Merged
merged 6 commits into from
Nov 2, 2021
Merged

Ignore clap yaml-rust advisory #4611

merged 6 commits into from
Nov 2, 2021

Conversation

tarikeshaq
Copy link
Contributor

Our dependency advisory CI is failing again... I'm starting to question how useful of a check this is in practice, as opposed to a different advisory checking strategy..

An alternative I'm thinking of:

  • When an advisory is detected (we can run a chron job for this, github actions maybe?) that we are impacted by, it creates an issue for it. If one is already created, it's ignored
  • When anyone adds a new dependency, the normal "check-dependencies" job runs, we can probably add filters or something to circle CI to only run that job if Cargo.tomls are changed

Anyhoo, I'll create an issue for that, in the meantime:
#4604 added a yaml feature for clap, clap 2.33 uses a version of yaml-rust that has an advisory out. Based on clap-rs/clap#1569 it's a false positive for clap and can be safely ignored. Once clap v3 is out, we can upgrade and we'll get the new version of yaml-rust for free, and thus we can remove the ignore

@tarikeshaq tarikeshaq requested a review from a team October 26, 2021 20:18
@tarikeshaq tarikeshaq mentioned this pull request Oct 27, 2021
Merged
@codecov-commenter
Copy link

codecov-commenter commented Oct 28, 2021
edited
Loading

Codecov Report

Merging #4611 (c7026d8) into main (5eea186) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #4611   +/-   ##
=======================================
  Coverage   80.69%   80.69%           
=======================================
  Files          48       48           
  Lines        5217     5217           
=======================================
  Hits         4210     4210           
  Misses       1007     1007

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5eea186...c7026d8. Read the comment docs.

travis79
travis79 approved these changes Nov 2, 2021
View reviewed changes
Copy link
Member

@travis79 travis79 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was planning on using the serde_yaml crate which also relies on yaml-rust, currently at version 0.4.5. I don't think this is a problem, but I wanted to let you know that clap may not be the only crate with this dependency soon.

@skhamis
Copy link
Contributor

skhamis commented Nov 2, 2021

It seems the check-dependencies is still failing but for a different reason -- looks like a switch from master to main might as well regen the deps so get this fully green!

@tarikeshaq tarikeshaq merged commit a3d0f9e into main Nov 2, 2021
@tarikeshaq tarikeshaq deleted the fix-yaml-rust-adviosry branch November 2, 2021 15:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@travis79 travis79 travis79 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tarikeshaq @codecov-commenter @skhamis @travis79