Update mopa to avoid safety issue (no longer maintained) #217
Comments
|
Links to dependabots security issues: https://github.com/Cypher1/tako/security/dependabot/1 |
|
Thanks for reporting the issue @Cypher1! At this point, I'm wondering if the dependency is even worth it, we're using the macro once in the entire crate, maybe that code should just be inlined instead? Would you be willing to create a PR for that? |
|
Interesting that you're building a compiler with an ECS, I was thinking about the same thing yesterday, since I'm writing a compiler for a toy language myself. It seemed cumbersome to repeat the structures of your language for every intermediate representation, so I thought why not assign everything an ID and use tables to store related information for the current phase. And ECS seems like the perfect fit for that :) |
|
FYI, there's also |
- The previous implementation uses `mopa`, which has a known safety issue: chris-morgan/mopa#13 - This commit essentially inlines the code generated by the `mopafy!` macro provided by `mopa`, thus removing the dependency - Since `mopa::Any` was part of the public interface of the `Resource` trait, this is technically a breaking change Fixes #217
|
I went ahead an created a PR: #218 |
|
Thanks @torkleyy I'll check out bevy ECS. I'm really glad you opened the pr as I don't know my way around shred internals |
Dependabots recently opened an advisory on one of my projects https://github.com/Cypher1/tako/ because I'm using specs, which depends on shred, which depends on a version of mopa, whose latest version contains an unsound pattern which can cause segfaults.
Issue here:
chris-morgan/mopa#13
Currently the thread's contributors state that mopa is not maintained, but one has set up mopa-maintained, as an alternative where they have added a fix.
Please investigate and update your deps so we can all avoid potential for segfaults :)
Cheers!
The text was updated successfully, but these errors were encountered: