Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Fix advisory #652

Merged
merged 2 commits into from
Nov 10, 2024
Merged

Fix advisory #652

merged 2 commits into from
Nov 10, 2024

Conversation

BenjaminBrienen
Copy link
Contributor

@BenjaminBrienen BenjaminBrienen commented Nov 10, 2024

Fixes a security advisory. instant is no longer maintained, but there is a drop-in replacement.
image

@dfaust
Copy link
Member

dfaust commented Nov 10, 2024

Thanks. Can you please add a changelog entry:

## notify-types 2.0.0 (unreleased)

- CHANGE: replace instant crate with web-time **breaking**

@bushrat011899
Copy link

Just calling out that instant is BSD-3-Clause licenced, while web-time is MIT/Apache-2.0. I don't know if that's an issue for this project (came here from Bevy) but wanted to make sure everyone's aware.

@dfaust
Copy link
Member

dfaust commented Nov 10, 2024

@bushrat011899 Thanks for the info. But I don't see an issue with MIT/Apache-2.0.

@dfaust
Copy link
Member

dfaust commented Nov 10, 2024

@bushrat011899 Is there a Bevy issue related to this?

@bushrat011899
Copy link

@dfaust no @BenjaminBrienen just noticed it and let us know on the Discord. They're very quick with this stuff haha.

@BenjaminBrienen
Copy link
Contributor Author

@dfaust done! let me know if it is in the wrong spot or something.

@dfaust dfaust merged commit deb3427 into notify-rs:main Nov 10, 2024
1 check passed
@dfaust
Copy link
Member

dfaust commented Nov 10, 2024

Thanks

@BenjaminBrienen BenjaminBrienen deleted the fix-advisory branch November 10, 2024 21:51
zydou pushed a commit to zydou/arti that referenced this pull request Nov 12, 2024
We depend on `instant`, which is unmaintained, via `notify`.

`notify` switched over to [`web-time`], but hasn't relased the change
yet, so we need to ignore the advisory for now.

[`web-time`]: notify-rs/notify#652
@extrawurst
Copy link
Contributor

@dfaust can this be released (notify-types and notify) to be able to move away from the security advisory?

@dfaust
Copy link
Member

dfaust commented Jan 10, 2025

notify-8.0.0 has just been released!

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants