Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tracking issue for fixing chrono crate dependencies #20568

Open
1 of 4 tasks
rillian opened this issue Jan 19, 2022 · 0 comments
Open
1 of 4 tasks

Tracking issue for fixing chrono crate dependencies #20568

rillian opened this issue Jan 19, 2022 · 0 comments
Labels
dev-concern OS/Android Fixes related to Android browser functionality OS/Desktop

Comments

@rillian
Copy link

rillian commented Jan 19, 2022
edited
Loading

Description

The popular chrono Rust crate v0.4.19 has two outstanding security advisories, RUSTSEC-2020-0071 and RUSTSEC-2020-0159 which upstream hasn't addressed after more than a year.

Because the issue is specific to querying the local time, as opposed to date parsing, formatting, or calculations without reference to the local timezone, We have periodically audited uses of this crate and then ignored these specific advisories.

This is time consuming and error prone, so we'd like our own code and dependencies to migrate to other crates for the same functionality. This is happening to some extent, with newer versions of the time crate taking up some of the slack.

This issue is for tracking related work.

Follow-up to #18835

Tasks
@rillian rillian added OS/Android Fixes related to Android browser functionality OS/Desktop dev-concern labels Jan 19, 2022
This was referenced Jan 21, 2022
Closed
Merged
@dignifiedquire dignifiedquire mentioned this issue Jan 30, 2022
Closed
@AurelienFT AurelienFT mentioned this issue Mar 4, 2022
Merged
bors bot added a commit to massalabs/massa that referenced this issue Mar 8, 2022
@bors @AurelienFT
Merge #2376
4e3c498 
2376: Fix security audit - get rid of chrono and use time directly r=AurelienFT a=AurelienFT

Chrono still use a very old version of time (0.1 now it's 0.3). They have a PR running since months for updating but it seems that there is communication problems that lead to long time development. The PR : chronotope/chrono#639

This break our CI like a lot of others projects that use `cargo audit`. A lot of projects that use chrono to do things that are now implemented in the new version of `time` has switched to use `time` directly instead of using tokio. Some examples : 
- brave/brave-browser#20568
- meilisearch/milli#450

So as we also only use chrono to make things that now possible in `time` which is more maintained I suggest in this PR a change to use `time` instead of `chrono`. So that it will fix our CI and make us use a more maintained dependency.

Fix #2374 

Co-authored-by: AurelienFT <aurelien.foucault@epitech.eu>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dev-concern OS/Android Fixes related to Android browser functionality OS/Desktop
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rillian