yaml-rust dependency is outdated

[kpcyrd]

Affected Version of clap

2.32.0

Bug or Feature Request Summary

The latest version of yaml-rust is currently:

yaml-rust = "0.4.2"

The version clap is depending on is:

yaml-rust = { version = "0.3.5", optional = true }

An update would be appreciated!

[hashmap]

$cargo audit
    Fetching advisory database from `https:/RustSec/advisory-db.git`
      Loaded 17 security advisories (from /home/ubuntu/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (311 crate dependencies)
error: Vulnerable crates found!

ID:      RUSTSEC-2018-0006
Crate:   yaml-rust
Version: 0.3.5
Date:    2018-09-17
URL:     https:/chyh1990/yaml-rust/pull/109
Title:   Uncontrolled recursion leads to abort in deserialization
Solution: upgrade to: >= 0.4.1

error: 1 vulnerability found!

[ErichDonGubler]

Wait, why did this get reverted? :( Should the issue be reopened?

[spacekookie]

Just to bring everybody up to speed. Yes, the PR that fixed this issue was reverted. The description explains in detail why (#1439)

I have opened chyh1990/yaml-rust#126 which would allow me to merge a backported patch that mitigates this vulnerability to 0.3.x. Then they could publish a new patch version that we pin to 🎉

[ErichDonGubler]

Wonderful explanation! Thank you. :)

[gedigi]

@spacekookie yaml-rust doesn't seem actively maintained, or at least I don't see your request getting any attention. Alternatives?

[spacekookie]

I'd suggest we fork 0.3 and upload it to crates.io ourselves. I'll probably do that this afternoon.

Thanks for the reminder on this btw. I've been pretty swamped at work the last 2 months 😩

[gedigi]

Thanks a lot. Is there anything I can do to help? I don’t have much experience dealing with crates.io.

[CreepySkeleton]

Closing due to inactivity. Honestly, I don't think we should fix it unless we have the patch backported to rust-yaml 0.3

[kpcyrd]

If yaml support is unmaintained, can you please drop the dependency as a whole?

[CreepySkeleton]

How would you expect us to drop it from 2.33? That would be a breaking change.

Also, like I said, there's no much point in this fix for clap anyway.

[kpcyrd]

I didn't file the issue due to security issues but because we have to carry a patch for clap downstream: https://salsa.debian.org/rust-team/debcargo-conf/blob/master/src/clap/debian/patches/relax-dep-versions.patch

Closing the issue doesn't make the dependency less outdated.

[pksunkara]

We have a duplicate at #1569. Please follow there.

[CreepySkeleton]

@kpcyrd for clarity, the reason we can't bump rust-yaml to 0.4 is because some types from this crate are part of clap's API. If we actually do the bump, that would be s breaking change for users relying on them.

We did bump in the new-coming clap 3.0 but clap 2.x is going to have to stay on rust-yaml 0.3.x