RUSTSEC-2024-0436: paste is unmaintained (rmp)

[kpcyrd]

hello!

I'm filing this well aware that this is not a security issue in itself (the crate is probably still good to use for now), but also wanted to document that rmp is currently pulling paste into the dependency tree that RUSTSEC-2024-0436 has been filed against.

I don't know what the crate does/did, so not sure how easy this is to change.

Cheers!

[V0ldek]

Also wanted to flag this, this counts as a vulnerability for the purposes of tools such as cargo-deny. In my case it's not high severity since I only use rmp-serde as a dev-dependency, but if someone uses a similarly aggressive security policy on their crate as I do and has it as an actual dependency then their build just became broken.

dtolney didn't really leave any helpful notes behind, just a terse "no longer maintained" note so I don't know how to migrate this, it probably heavily depends on how this crate used paste.

[kpcyrd]

In the meantime cargo-deny 0.18.2 has re-introduced:

[advisories]
unmaintained = "workspace"

To only fail the build if you depend on an unmaintained crate directly, which I think is a reasonable approach.

The update has been merged into Alpine edge just now: https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/80492

[kajahusain-a]

Can this be merged?