Hey all,
just currently depends on ansi_term = "0.12.0" (see Cargo.toml). The crate has been marked unmaintained by its author since 2021 and has an active RustSec advisory:
This isn't a vulnerability, it's an INFO/unmaintained advisory but it shows up in cargo audit runs for anyone packaging or consuming just, and the crate won't receive bug fixes or compatibility updates going forward.
It's used in ansi_term and is referenced in just a few places in src/:
src/color.rs — imports ANSIGenericString, Color, Prefix, Style, Suffixsrc/command_color.rs — impl From<CommandColor> for ansi_term::Colorsrc/config.rs — command_color: Option<ansi_term::Color>src/run.rs — ansi_term::enable_ansi_support()
The surface area looks small (~200 lines across two files do almost all of the work), so a migration should be reasonably contained.
Some alternatives I suggest come from the RustSec advisory, which lists several maintained replacements. The most natural candidates for just are:
anstyle, minimal, no_std-friendly, and already a transitive dep via clap, so it would reduce the dependency graph rather than swap one crate for another. Best fit if the goal is leanness.nu-ansi-term, a near drop-in fork of ansi_term maintained by the Nushell team. Lowest-effort migration if API compatibility is the priority.owo-colors, ergonomic extension-trait API, also widely used.
Given that clap (already a dependency) pulls in anstyle transitively, that seems like the cleanest path, but nu-ansi-term is the easier port if migration cost is the concern.
I'm filing this as a record of the issue in case it's useful for future maintenance, and so that downstream packagers running cargo audit have something to point at.
Happy to provide more detail on any of the above if helpful.
Cheers,
Michael Mendy.
Hey all,
justcurrently depends onansi_term = "0.12.0"(seeCargo.toml). The crate has been marked unmaintained by its author since 2021 and has an active RustSec advisory:This isn't a vulnerability, it's an
INFO/unmaintainedadvisory but it shows up incargo auditruns for anyone packaging or consumingjust, and the crate won't receive bug fixes or compatibility updates going forward.It's used in
ansi_termand is referenced in just a few places insrc/:src/color.rs— importsANSIGenericString,Color,Prefix,Style,Suffixsrc/command_color.rs—impl From<CommandColor> for ansi_term::Colorsrc/config.rs—command_color: Option<ansi_term::Color>src/run.rs—ansi_term::enable_ansi_support()The surface area looks small (~200 lines across two files do almost all of the work), so a migration should be reasonably contained.
Some alternatives I suggest come from the RustSec advisory, which lists several maintained replacements. The most natural candidates for
justare:anstyle, minimal, no_std-friendly, and already a transitive dep viaclap, so it would reduce the dependency graph rather than swap one crate for another. Best fit if the goal is leanness.nu-ansi-term, a near drop-in fork ofansi_termmaintained by the Nushell team. Lowest-effort migration if API compatibility is the priority.owo-colors, ergonomic extension-trait API, also widely used.Given that
clap(already a dependency) pulls inanstyletransitively, that seems like the cleanest path, butnu-ansi-termis the easier port if migration cost is the concern.I'm filing this as a record of the issue in case it's useful for future maintenance, and so that downstream packagers running
cargo audithave something to point at.Happy to provide more detail on any of the above if helpful.
Cheers,
Michael Mendy.