surf seems to be unmaintained #1471
Comments
|
Commented here: http-rs/surf#352 (comment) The maintainer has indicated willingness to merge any security fixes and per our policy we reserve unmaintained for completely unreachable maintainers or where the maintainer explicitly wishes us to flag it. An action here might be feasible to flag old versions of rustls and then that will light up anything downstream if feasible ? |
pinkforest
added
Unmaintained
|
Can't do anything here since the maintainer has said they will fix any security issue and we take the maintainer's word. Also have offered to mark old versions of rustls unmaintained as the dependencies further up can be used to light up things Please let us know if you would like us to do that and we can do that to ensure any downstream dependencies complain if they use the old rustls version. |
|
There's an explicit comment from the maintainer that it should be considered unmaintained: Is that enough to warrant an informational advisory for this crate? |
The surf HTTP client seems to be unmaintained. I reached out and it doesn't look good. It depends on the latest released version of http-types, which depends on an old version of cookie which in turns depends on the unmaintained stdweb, an old version of aes-gcm which in turns has a number of unmaintained dependencies. There's an issue in http-types to get a new release out but not much movement there.
surf itself additionally still depends on rustls 0.18, while 0.19 was released two years ago.
The text was updated successfully, but these errors were encountered: