cargo audit: transitive dependency `mopa` has unsoundness advisory (RUSTSEC-2021-0095)

[kestred]

Hiya. First, thank you for building iocraft!

I ran into this when I was building some new TUI tools.
I try to keep my CI/CD strict in any way I can (including cargo audit), and it reported this issue.

Question: What would be the preferred approach for me to handle this if I were to submit an MR?

Summary

iocraft depends on any_key (0.1.1), which depends on mopa (0.2.2). The mopa crate has an unsoundness advisory RUSTSEC-2021-0095 (CVE-2021-45695).

iocraft 0.7.16
└── any_key 0.1.1
    └── mopa 0.2.2  ← unsound

There is no patched version of mopa, and the crate has been unmaintained since 2017.

• mopa: Appears unmaintained, no change since 2017
• any_key: Dormant since August 2017, zero activity, no issues/PRs

Since any_key is unmaintained, I filed the issue with iocraft.

References

• RUSTSEC-2021-0095
• mopa issue #13
• any_key repository

[ccbrown]

Thank you for raising this!

In hindsight, I'm honestly not sure why I chose to use that dependency in the first place. It's really easy to eliminate it entirely.

#154 does so. This will be fixed in the next release, or in the meantime, you can use the latest revision on main (a3385b2fbcb7424a3a98f403e82e49dc562d3eea).