RUSTSEC-2024-0370: proc-macro-error is unmaintained #1593
Labels
Milestone
Comments
|
IIUC is a dependency brought by It has been removed in the past from I think the only problem is that both |
|
It would be nice if we could upgrade clap and not enforce that the example crates build on MSRV |
Yes, I agree! Currently, the only thing enforcing MSRV on examples is the |
6 tasks
oleonardolima
added a commit
to oleonardolima/bdk
that referenced
this issue
Sep 13, 2024
dependency on `proc-macro-error`. In bitcoindevkit#1593 it's mentioned that `proc-macro-error` is unmaintained for the past few years, with no fix other than using proc-macro-error2 instead. As on our scenario it's merely a transitive dependency of `clap`, through `clap_derive` feature, which in latest releases doesn't depend on `proc-macro-error` we can just bump it to latest. It's valid to note that by bumping it, both examples that relies on clap are no longer MSRV (1.63) compliant.
oleonardolima
added a commit
to oleonardolima/bdk
that referenced
this issue
Sep 16, 2024
dependency on `proc-macro-error`. In bitcoindevkit#1593 it's mentioned that `proc-macro-error` is unmaintained for the past few years, with no fix other than using proc-macro-error2 instead. As on our scenario it's merely a transitive dependency of `clap`, through `clap_derive` feature, which in latest releases doesn't depend on `proc-macro-error` we can just bump it to latest. It's valid to note that by bumping it, both examples that relies on clap are no longer MSRV (1.63) compliant.
notmandatory
added
tests
dependencies
oleonardolima
added a commit
to oleonardolima/bdk
that referenced
this issue
Sep 20, 2024
dependency on `proc-macro-error`. In bitcoindevkit#1593 it's mentioned that `proc-macro-error` is unmaintained for the past few years, with no fix other than using proc-macro-error2 instead. As on our scenario it's merely a transitive dependency of `clap`, through `clap_derive` feature, which in latest releases doesn't depend on `proc-macro-error` we can just bump it to latest. It's valid to note that by bumping it, both examples that relies on clap are no longer MSRV (1.63) compliant.
oleonardolima
added a commit
to oleonardolima/bdk
that referenced
this issue
Sep 20, 2024
dependency on `proc-macro-error`. In bitcoindevkit#1593 it's mentioned that `proc-macro-error` is unmaintained for the past few years, with no fix other than using proc-macro-error2 instead. As on our scenario it's merely a transitive dependency of `clap`, through `clap_derive` feature, which in latest releases doesn't depend on `proc-macro-error` we can just bump it to latest. It's valid to note that by bumping it, both examples that relies on clap are no longer MSRV (1.63) compliant.
ValuedMammal
added a commit
that referenced
this issue
Sep 28, 2024
d802d00 fix(RUSTSEC-2024-0370)!: bump `clap` to latest, removing transitive dependency on `proc-macro-error`. (Leonardo Lima) 45be317 refactor(ci)!: update CI to build and test example in specific job (Leonardo Lima) 519728c chore(examples)!: update all examples to have `example_` prefix (Leonardo Lima) 9b7b195 chore: use path as `name` for cargo test targets (Leonardo Lima) 6e8f196 fix(bdk_electrum): build with `--no-default-features` (Leonardo Lima) 33942ec fix(bdk_esplora): build with `--no-default-features` (Leonardo Lima) Pull request description: A candidate for fixing #1593. It builds on top of #1615 <!-- You can erase any parts of this template not applicable to your Pull Request. --> ### Description <!-- Describe the purpose of this PR, what's being adding and/or fixed --> In #1593 it's mentioned that `proc-macro-error` is unmaintained for the past few years, with no fix other than using proc-macro-error2 instead. As on our scenario it's merely a transitive dependency of `clap`, through `clap_derive` feature, which in latest releases doesn't depend on `proc-macro-error` we can just bump it to latest. It's valid to note that by bumping it, both examples that relies on clap are no longer MSRV (1.63) compliant. That said, this PR does: - Standardize the example packages to have `example_` prefix. - Exclude examples from running in main `Build & Test` CI job. - Add new testing step to `Build & Test Example` CI job. - Bumps the `clap` to `4.5.17`. ### Notes to the reviewers <!-- In this section you can include notes directed to the reviewers, like explaining why some parts of the PR were done in a specific way --> ### Changelog notice <!-- Notice the release manager should include in the release tag message changelog --> <!-- See https://keepachangelog.com/en/1.0.0/ for examples --> - Standardize the example packages to have `example_` prefix. - Exclude examples from running in main `Build & Test` CI job. - Add new testing step to `Build & Test Example` CI job. - Bumps the `clap` to `4.5.17`. ### Checklists #### All Submissions: * [x] I've signed all my commits * [x] I followed the [contribution guidelines](https://github.com/bitcoindevkit/bdk/blob/master/CONTRIBUTING.md) * [x] I ran `cargo fmt` and `cargo clippy` before committing <!-- #### New Features: * [ ] I've added tests for the new feature * [ ] I've added docs for the new feature --> #### Bugfixes: * [ ] This pull request breaks the existing API * [ ] I've added tests to reproduce the issue which are now passing * [x] I'm linking the issue being fixed by this PR ACKs for top commit: ValuedMammal: ACK d802d00 Tree-SHA512: 274ddcdf05175fa5bc9c78e81de9ce768b800942a2dd420abc415618948aa84b79f6542d8af0c9ba57adaca48ce91fb854546ece069bd4751598cca4ed8f7560
|
Fixed by #1603 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
proc-macro-error1.0.4proc-macro-error's maintainer seems to be unreachable, with no commits for 2 years, no releases pushed for 4 years, and no activity on the GitLab repo or response to email.
proc-macro-error also depends on
syn 1.x, which may be bringing duplicate dependencies into dependant build trees.Possible Alternative(s)
See advisory page for additional details.
The text was updated successfully, but these errors were encountered: