Open Bug 2011119 Opened 5 months ago Updated 3 months ago

[Automated review] cargo-audit: warning Crate depends on a unmaintained version of bincode.

Categories

(Developer Infrastructure :: Source Code Analysis, defect)

Product:
Developer Infrastructure
Component:
Source Code Analysis
Type:
defect

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: m_kato, Assigned: ErichDonGubler, NeedInfo)

Details

Attachments

(1 file)

Bug 2011119 - chore(rust): ignore `bincode` unmaintained advisory RUSTSEC-2025-0141 r=#supply-chain-reviewers
48 bytes, text/x-phabricator-request
Details | Review

Phabricator URL: https://phabricator.services.mozilla.com/D278223

When updating ICU4X by bug 1997048, although ICU4X doesn't have dependency of bincode (I checked Cargo.lock), the following warning is shown by review bot.

/mozilla/firefox/Cargo.lock
  -1:-1  warning  Crate depends on a unmaintained version of bincode.

Advisory:
Bincode is unmaintained
Package: bincode
ID: RUSTSEC-2025-0141
Report date: 2025-12-16
Due to a doxxing and harassment incident, the bincode team has taken the decision to cease development permanently.

The team considers version 1.3.3 a complete version of bincode that is not in need of any updates.

## Alternatives to consider

* [wincode](https://crates.io/crates/wincode)
* [postcard](https://crates.io/crates/postcard)
* [bitcode](https://crates.io/crates/bitcode)
* [rkyv](https://crates.io/crates/rkyv)
URL: https://git.sr.ht/~stygianentity/bincode/tree/v3.0/item/README.md

Package info: {
  "name": "bincode",
  "version": "1.3.3",
  "source": "registry+https://github.com/rust-lang/crates.io-index",
  "checksum": "b1f45e9417d87227c7a56d22e471c6206462cba514c7590c09aff4cf6d1ddcad",
  "dependencies": [
    {
      "name": "serde",
      "version": "1.0.227",
      "source": "registry+https://github.com/rust-lang/crates.io-index"
    }
  ],
  "replace": null
}  (cargo-audit)

https://git.sr.ht/~stygianentity/bincode/tree/v3.0/item/README.md?__goaway_challenge=meta-refresh&__goaway_id=d677f67390a1410c2d2cfbcbb48f8ecb&__goaway_referer=https%3A%2F%2Frustsec.org%2F has some more color on some the choices:

If you were considering using bincode for a new project or are looking to an
alternative to migrate to, you are encouraged to consider some the following
alternatives, as well as the many other great serialization format crates
available in the rust ecosystem:

Bincode-compatible alternative

Similar in spirit and structure to bincode, but a bit differently flavored

Zero copy deserialization, honestly the best option for many of the usecases
that bincode was intended for, like serializing transient data for
intra-program message passing.

The severity field is not set for this bug.
:zeid, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(zeid)

The severity field is not set for this bug.
:zeid, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(zeid)

I just had a brief look and it seems that there's no easy way out of this: the wincode crate is compatible but only with version 2 and up of bitcode while our dependencies are on version 1. Many of these dependencies belong to our crates so we'll have to go manually migrate them one at a time until we get rid of the dependency.

Assignee: nobody → egubler
Status: NEW → ASSIGNED
Keywords: leave-open
Pushed by egubler@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/b6278984c69e https://hg.mozilla.org/integration/autoland/rev/b70b6060e018 chore(rust): ignore `bincode` unmaintained advisory RUSTSEC-2025-0141 r=supply-chain-reviewers

Okay, I've landed a suppression of the warning, but the fundamental issue of unmaintained code remains. This should stop gumming up unrelated patch review, at least.

Keywords: leave-open
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: