Merge pull request #140 from daboross/dross/upgrade-colored

Upgrade colored
daboross · Oct 20, 2024 · cfc8e8f · cfc8e8f
2 parents 8236409 + f82c111
commit cfc8e8f
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 57 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,12 @@
 Unreleased
 ==========
 
+- Upgrade `colored` to version 2. This is a breaking change due to
+  `colored` being exposed in the public API of `fern`. (thanks [@faern] for
+  doing the boilerplate here!)
+- Remove most of the unsoundness warning, and update it to reflect fern 0.7.0
+  fixing the issue.
+
 0.6.2 (2023-03-23)
 ==================
 
@@ -430,3 +436,4 @@ First release, version 0.1.0.
 [@autarch]: https://github.com/autarch
 [@vorner]: https://github.com/vorner
 [@EasyPost]: https://github.com/EasyPost
+[@faern]: https://github.com/faern
diff --git a/Cargo.toml b/Cargo.toml
@@ -20,7 +20,7 @@ include = ["Cargo.toml", "src/**/*", "tests/**/*", "examples/**/*", "LICENSE", "
 
 [dependencies]
 log = { version = "0.4", features = ["std"] }
-colored = { version = "1.5", optional = true }
+colored = { version = "2.1.0", optional = true }
 chrono = { version = "0.4", default-features = false, features = ["std", "clock"], optional = true }
 
 [target."cfg(not(windows))".dependencies]

diff --git a/README.md b/README.md
@@ -14,35 +14,10 @@ One of our downstream dependencies, [atty](https://docs.rs/atty/), through
 [colored](https://docs.rs/colored/), has an unsoundness issue:
 <https://rustsec.org/advisories/RUSTSEC-2021-0145.html>.
 
-This shows up in one situation: if you're using `colored` (the crate, or our
+This shows up in one situation: if you're using `colored` 0.1.0 (the crate, or our
 feature), and a custom global allocator.
 
-I will be releasing `fern` 0.7.0, removing `colored` as a dependency. This may
-add another color crate, or may just document usage of alternatives (such as
-[`owo-colors`](https://docs.rs/owo-colors/) +
-[`enable-ansi-support`](https://docs.rs/enable-ansi-support/)).
-
-In the meantime, if you're using `#[global_allocator]`, I highly recommend
-removing the `fern/colored` feature.
-
-Or, for minimal code changes, you can also enable the `colored/no-colors`
-feature:
-
-```text
-cargo add colored --features no-color
-```
-
-With the `no-color` feature, the vulnerable code will still be present, but
-unless you use any of the following APIs manually, it will never be called:
-
-- [`colored::control::set_override`](https://docs.rs/colored/latest/colored/control/fn.set_override.html)
-- [`colored::control::unset_override`](https://docs.rs/colored/latest/colored/control/fn.unset_override.html)
-- [`colored::control::ShouldColorize::from_env`](https://docs.rs/colored/latest/colored/control/struct.ShouldColorize.html#method.from_env)
-- [`colored::control::SHOULD_COLORIZE`](https://docs.rs/colored/latest/colored/control/struct.SHOULD_COLORIZE.html)
-  (referencing this `lazy_static!` variable will initialize it, running the
-  vulnerable code)
-
-See <https://github.com/daboross/fern/issues/113> for further discussion.
+Upgrade to `fern` 0.7.0, and `colored` 0.2.0 if you depend on it directly, to fix this issue.
 
 ---
 

diff --git a/src/lib.rs b/src/lib.rs
@@ -5,38 +5,13 @@
 //! # fern 0.4.4, 0.5.\*, 0.6.\* security warning - `colored` feature + global allocator
 //!
 //! One of our downstream dependencies, [atty](https://docs.rs/atty/), through
-//! [colored], has an unsoundness issue:
-//! <https://rustsec.org/advisories/RUSTSEC-2021-0145.html>
+//! [colored](https://docs.rs/colored/), has an unsoundness issue:
+//! <https://rustsec.org/advisories/RUSTSEC-2021-0145.html>.
 //!
-//! This shows up in one situation: if you're using `colored` (the crate, or our
+//! This shows up in one situation: if you're using `colored` 0.1.0 (the crate, or our
 //! feature), and a custom global allocator.
 //!
-//! I will be releasing `fern` 0.7.0, removing `colored` as a dependency. This
-//! may add another color crate, or may just document usage of alternatives
-//! (such as [`owo-colors`](https://docs.rs/owo-colors/) +
-//! [`enable-ansi-support`](https://docs.rs/enable-ansi-support/0.2.1/enable_ansi_support/)).
-//!
-//! In the meantime, if you're using `#[global_allocator]`, I highly recommend
-//! removing the `fern/colored` feature.
-//!
-//! Or, for minimal code changes, you can also enable the `colored/no-colors`
-//! feature:
-//!
-//! ```text
-//! cargo add colored --features no-color
-//! ```
-//!
-//! With the `no-color` feature, the vulnerable code will still be present, but
-//! unless you use any of the following APIs manually, it will never be called:
-//!
-//! - [`colored::control::set_override`]
-//! - [`colored::control::unset_override`]
-//! - [`colored::control::ShouldColorize::from_env`]
-//! - [`colored::control::SHOULD_COLORIZE`][struct@colored::control::SHOULD_COLORIZE]
-//!   (referencing this `lazy_static!` variable will initialize it, running the
-//!   vulnerable code)
-//!
-//! See <https://github.com/daboross/fern/issues/113> for further discussion.
+//! Upgrade to `fern` 0.7.0, and `colored` 0.2.0 if you depend on it directly, to fix this issue.
 //!
 //! # Depending on fern
 //!