subxt depends on unmaintained component [RUSTSEC-2022-0061]

[simonsso]

Paritytech/subxt is depending on a component abandoned and unmaintained by Paritytech(sic!)...

I could not find a ticket or PR tracking this issue.

This it the output from cargo audit executed on latest commit on master.

Crate: parity-wasm
Version: 0.45.0
Warning: unmaintained
Title: Crate parity-wasm deprecated by the author
Date: 2022-10-01
ID: RUSTSEC-2022-0061
URL: https://rustsec.org/advisories/RUSTSEC-2022-0061

Dependency tree:
parity-wasm 0.45.0
├── wasmi-validation 0.5.0
│   └── wasmi 0.13.2
│       ├── sp-wasm-interface 7.0.0
│       │   ├── sp-runtime-interface 7.0.0
│       │   │   ├── sp-io 7.0.0
│       │   │   │   ├── sp-runtime 7.0.0
│       │   │   │   │   ├── test-runtime 0.25.0
│       │   │   │   │   │   └── integration-tests 0.25.0
│       │   │   │   │   ├── subxt 0.25.0
│       │   │   │   │   │   ├── ui-tests 0.25.0
│       │   │   │   │   │   ├── test-runtime 0.25.0
│       │   │   │   │   │   ├── subxt-examples 0.25.0
│       │   │   │   │   │   └── integration-tests 0.25.0
│       │   │   │   │   ├── sp-keyring 7.0.0
│       │   │   │   │   │   ├── subxt-examples 0.25.0
│       │   │   │   │   │   └── integration-tests 0.25.0
│       │   │   │   │   └── integration-tests 0.25.0
│       │   │   │   └── sp-application-crypto 7.0.0
│       │   │   │       └── sp-runtime 7.0.0
│       │   │   └── sp-core 7.0.0
│       │   │       ├── test-runtime 0.25.0
│       │   │       ├── subxt-metadata 0.25.0
│       │   │       │   ├── subxt-codegen 0.25.0
│       │   │       │   │   ├── subxt-macro 0.25.0
│       │   │       │   │   │   └── subxt 0.25.0
│       │   │       │   │   ├── subxt-cli 0.25.0
│       │   │       │   │   └── integration-tests 0.25.0
│       │   │       │   ├── subxt-cli 0.25.0
│       │   │       │   └── subxt 0.25.0
│       │   │       ├── subxt 0.25.0
│       │   │       ├── sp-weights 4.0.0
│       │   │       │   └── sp-runtime 7.0.0
│       │   │       ├── sp-trie 7.0.0
│       │   │       │   ├── sp-state-machine 0.13.0
│       │   │       │   │   └── sp-io 7.0.0
│       │   │       │   └── sp-io 7.0.0
│       │   │       ├── sp-state-machine 0.13.0
│       │   │       ├── sp-runtime 7.0.0
│       │   │       ├── sp-keystore 0.13.0
│       │   │       │   └── sp-io 7.0.0
│       │   │       ├── sp-keyring 7.0.0
│       │   │       ├── sp-io 7.0.0
│       │   │       ├── sp-application-crypto 7.0.0
│       │   │       └── integration-tests 0.25.0
│       │   └── sp-io 7.0.0
│       └── sp-core 7.0.0
└── wasmi 0.13.2

[jsdw]

Thank you for the issue!

This dependency comes from Substrate crates, and having a glance at substrate master we still depend on that crate there (see https://github.com/paritytech/substrate/blob/4692572ecf8de0f9420972f8bf2f072243cf5a94/primitives/wasm-interface/Cargo.toml#L20; we still pull in wasmi 0.13). I'm not familiar with the state of parity-wasm, but it's a part of the paritytech org, same as substrate and subxt, so I wouldn't think that it is any concern. I expect Substrate will transition away from it when appropriate.

If you're still concerned, I'd suggest raising an issue/discussion at the source: https://github.com/paritytech/substrate.

FYI I am actually trimming down our dependence on the substrate crates (see #760), so it will become easier to "opt out" of these dependencies (although at present you'll lose some signing functionality if you do).