Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

yaml-rust appears unmaintained... #1921

Closed
qtfkwk opened this issue Mar 13, 2024 · 27 comments · Fixed by #1922
Closed

yaml-rust appears unmaintained... #1921

qtfkwk opened this issue Mar 13, 2024 · 27 comments · Fixed by #1922

Comments

@qtfkwk
Copy link

qtfkwk commented Mar 13, 2024

See also chyh1990/yaml-rust#197

@qtfkwk
Copy link
Author

qtfkwk commented Mar 13, 2024

Stumbled onto https://crates.io/crates/yaml-rust2 / https://github.com/Ethiraric/yaml-rust2 yesterday... it forks from the latest commit on the original repository https://github.com/chyh1990/yaml-rust on 2021-07-12, and adds commits starting on 2023-08-14 and latest on 2024-02-08.

I've done a quick review and appears to be functional and in good faith, but should have more people review and confirm.

Also, strangely... @Ethiraric doesn't seem to have any means of contact posted in Github, and has issues disabled on the yaml-rust2 repository (?). Edit: resolved... see #1921 (comment)

@Ethiraric
Copy link

Heya!
Having issues disabled was (I think) an unintended side-effect of the repository being a fork in a first place and was not at all intentional.

It forks from one of the pull requests from the original yaml-rust where the author added support for the yaml test suite, a set of YAML files and their expected output. yaml-rust did not pass the whole test suite. Although most of the tests were corner cases that were unlikely to be encountered in real-world YAML, I have fixed all of them so that yaml-rust2 now correctly passes the whole suite.

I've also added a bunch of comments to the code, refactored some constructs and optimized so that the library should be faster than yaml-rust.

I have waited to produce real benchmark data before doing an announced release. I am fairly new to the art of benchmarking, and my last attempts at optimizing have failed, which is why there hasn't been any meaningful commit for a month now.

As-is, I see no reason the code would be less functional than yaml-rust, but I am human and make errors, so maybe there's something I missed, in which case a bug report (now that I have issues enabled, thanks to you) would be welcome.

If there's anything I could help with, do feel free to open an issue or send me an e-mail (I'll add that to my profile in a second, but I have a gmail address whose local part is my username here).

@smoelius
Copy link
Contributor

@davvid's https://crates.io/crates/yaml-rust-davvid is another fork that, to the best of my knowledge, is sincere.

@davvid
Copy link
Contributor

davvid commented Mar 14, 2024

Yes, I'm relying on the availability of this functionality long-term so I'd be more than happy to help maintain a fork or swap over to a different fork. I wasn't aware of yaml-rust2, thanks for bringing that to my attention.

@Ethiraric
Copy link

I've had a look at the commits on @davvid's repository, and it seems that they are mostly focused on the output API and handling of Yaml elements. If that's the case, our works should be complementary as I almost exclusively focused on the parsing side of the project.

@Ethiraric
Copy link

@davvid Our repositories should have a common ancestor in the latest yaml-rust commit.

Would it be okay with you if I tried merging your commit tree into my repository?

@davvid
Copy link
Contributor

davvid commented Mar 17, 2024

@Ethiraric that'd be great. I actually started on the merge before seeing your message and submitted the changes in a clean rebase over at Ethiraric/yaml-rust2#2

@Ethiraric
Copy link

Thank you very much for your work on this pull request! I hope we can get it to merge cleanly soon ❤️

@tarcieri
Copy link
Member

I just wanted to say that yaml-rust appears to be implicitly unmaintained, however per our unmaintained crates policy we prefer to wait for 90 days after an issue like chyh1990/yaml-rust#197 has been opened to give the author time to respond.

If someone would like to file an unmaintained crate advisory in advance, we can merge it when that time has elapsed.

@davvid
Copy link
Contributor

davvid commented Mar 20, 2024

I'm linking these here so that folks landing here can see the full paper trail going back to 2020. I guess waiting another 3 months isn't really going to hurt (or change much) in that respect since we've already waited ~4 years.

chyh1990/yaml-rust#160

chyh1990/yaml-rust#192

@tarcieri
Copy link
Member

Aah, with chyh1990/yaml-rust#160 especially it seems clear this crate is unmaintained as the maintenance status has already been publicly asked about without response.

Feel free to file an advisory then. It can be merged immediately.

@jayvdb
Copy link
Contributor

jayvdb commented Mar 25, 2024

@tarcieri
Copy link
Member

@jayvdb that would be good to report on the yaml-rust2 repo: https://github.com/Ethiraric/yaml-rust2/issues

@Ethiraric
Copy link

Sorry this is a bit out of topic but I'll reply here.

If I'm not mistaken, this refers to the encoding crate being unmaintained. A fix is already on master (though it will unfortunately require a breaking change for people using it).

@rocallahan
Copy link

Why can't yaml-rust2 take over the yaml-rust crate name? Updating the world to yaml-rust2 is going to be pretty painful. Lots of third-party crates will have to be patched, and there's the possibility of type mismatches while some crates are updated and others aren't. Also, dtolnay responded by marking serde_yaml as unmaintained :-(.

@tarcieri
Copy link
Member

nazmulidris added a commit to r3bl-org/r3bl-open-core that referenced this issue Apr 15, 2024
`yaml-rust` crate is unmaintained

1) `syntect` author won't update this dep to a fork of it due to lack
of trust concerns with this new fork:
trishume/syntect#526

2) cargo-deny produces this output:

error[unmaintained]: yaml-rust is unmaintained.
    ┌─ /home/nazmul/github/r3bl-open-core/Cargo.lock:295:1
    │
295 │ yaml-rust 0.4.5 registry+https://github.com/rust-lang/crates.io-index
    │ --------------------------------------------------------------------- unmaintained advisory detected
    │
    = ID: RUSTSEC-2024-0320
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0320
    = The maintainer seems [unreachable](chyh1990/yaml-rust#197).

      Many issues and pull requests have been submitted over the years
      without any [response](chyh1990/yaml-rust#160).

      ## Alternatives

      Consider switching to the actively maintained `yaml-rust2` fork of the original project:

      - [yaml-rust2](https://github.com/Ethiraric/yaml-rust2)
      - [yaml-rust2 @ crates.io](https://crates.io/crates/yaml-rust2))
    = Announcement: rustsec/advisory-db#1921
    = Solution: No safe upgrade is available!
    = yaml-rust v0.4.5
      └── syntect v5.1.0
          └── r3bl_tui v0.5.2
              └── r3bl-cmdr v0.0.11
nazmulidris added a commit to r3bl-org/r3bl-open-core that referenced this issue Apr 15, 2024
`yaml-rust` crate is unmaintained

1) `syntect` author won't update this dep to a fork of it due to lack
of trust concerns with this new fork:
trishume/syntect#526

2) cargo-deny produces this output:

error[unmaintained]: yaml-rust is unmaintained.
    ┌─ /home/nazmul/github/r3bl-open-core/Cargo.lock:295:1
    │
295 │ yaml-rust 0.4.5 registry+https://github.com/rust-lang/crates.io-index
    │ --------------------------------------------------------------------- unmaintained advisory detected
    │
    = ID: RUSTSEC-2024-0320
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0320
    = The maintainer seems [unreachable](chyh1990/yaml-rust#197).

      Many issues and pull requests have been submitted over the years
      without any [response](chyh1990/yaml-rust#160).

      ## Alternatives

      Consider switching to the actively maintained `yaml-rust2` fork of the original project:

      - [yaml-rust2](https://github.com/Ethiraric/yaml-rust2)
      - [yaml-rust2 @ crates.io](https://crates.io/crates/yaml-rust2))
    = Announcement: rustsec/advisory-db#1921
    = Solution: No safe upgrade is available!
    = yaml-rust v0.4.5
      └── syntect v5.1.0
          └── r3bl_tui v0.5.2
              └── r3bl-cmdr v0.0.11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

8 participants