Dependency has (fixed) vulnerability, but is no longer compatible

(Azriel Hoh) #1

Hiya, we have a cargo audit problem:

  • slice-deque is used to back amethyst_audio (via rodio, minimp3, slice-deque)
  • Currently we use slice-deque 0.1.x, which has a security issue (
  • slice-deque 0.2.2 no longer has the security issue, but SliceDeque is no longer Send + Sync, because of a refactoring that it internally uses std::ptr::NonNull
  • that makes our AudioEmitter not be able to be used as a Component

Should we:

  • investigate whether SliceDeque can be made Send + Sync
  • do some sort of wrapper around it Arc<Mutex<_>>?
  • something else

(Azriel Hoh) #2

Ah, it’s all solved now, solution 1 was implemented