From ee161a7602c5db60965a79907b25f0c02183cceb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Linus=20F=C3=A4rnstrand?= <linus@mullvad.net>
Date: Wed, 12 Jul 2023 13:13:37 +0200
Subject: [PATCH 1/4] Upgrade colored dependency to ^2

---
 CHANGELOG.md | 3 +++
 Cargo.toml   | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4125a96..647760a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,9 @@
 Unreleased
 ==========
 
+- Upgrade `colored` to version 2. This is a breaking change due to
+  `colored` being exposed in the public API of `fern`.
+
 0.6.2 (2023-03-23)
 ==================
 
diff --git a/Cargo.toml b/Cargo.toml
index cdfc877..5f167ac 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -20,7 +20,7 @@ include = ["Cargo.toml", "src/**/*", "tests/**/*", "examples/**/*", "LICENSE", "
 
 [dependencies]
 log = { version = "0.4", features = ["std"] }
-colored = { version = "1.5", optional = true }
+colored = { version = "2.1.0", optional = true }
 chrono = { version = "0.4", default-features = false, features = ["std", "clock"], optional = true }
 
 [target."cfg(not(windows))".dependencies]

From fdd525c8a9a778a6b22bbb9e20dd53fbac061351 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Linus=20F=C3=A4rnstrand?= <linus@mullvad.net>
Date: Wed, 12 Jul 2023 13:18:01 +0200
Subject: [PATCH 2/4] Revert "Add documentation warning about usage of
 'colored'"

This reverts commit 31ac5749b9928a29b76e23288d37fa2cb89902ff.
---
 CHANGELOG.md |  1 +
 README.md    | 40 ----------------------------------------
 src/lib.rs   | 36 ------------------------------------
 3 files changed, 1 insertion(+), 76 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 647760a..66c3ab1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@ Unreleased
 
 - Upgrade `colored` to version 2. This is a breaking change due to
   `colored` being exposed in the public API of `fern`.
+- Remove security warning regarding `colored` since it's no longer an issue with this version.
 
 0.6.2 (2023-03-23)
 ==================
diff --git a/README.md b/README.md
index 8685fe1..47a2cc9 100644
--- a/README.md
+++ b/README.md
@@ -6,46 +6,6 @@ fern
 
 Simple, efficient logging for [Rust].
 
----
-
-## fern 0.4.4, 0.5.\*, 0.6.\* security warning - `colored` feature + global allocator
-
-One of our downstream dependencies, [atty](https://docs.rs/atty/), through
-[colored](https://docs.rs/colored/), has an unsoundness issue:
-<https://rustsec.org/advisories/RUSTSEC-2021-0145.html>.
-
-This shows up in one situation: if you're using `colored` (the crate, or our
-feature), and a custom global allocator.
-
-I will be releasing `fern` 0.7.0, removing `colored` as a dependency. This may
-add another color crate, or may just document usage of alternatives (such as
-[`owo-colors`](https://docs.rs/owo-colors/) +
-[`enable-ansi-support`](https://docs.rs/enable-ansi-support/)).
-
-In the meantime, if you're using `#[global_allocator]`, I highly recommend
-removing the `fern/colored` feature.
-
-Or, for minimal code changes, you can also enable the `colored/no-colors`
-feature:
-
-```text
-cargo add colored --features no-color
-```
-
-With the `no-color` feature, the vulnerable code will still be present, but
-unless you use any of the following APIs manually, it will never be called:
-
-- [`colored::control::set_override`](https://docs.rs/colored/latest/colored/control/fn.set_override.html)
-- [`colored::control::unset_override`](https://docs.rs/colored/latest/colored/control/fn.unset_override.html)
-- [`colored::control::ShouldColorize::from_env`](https://docs.rs/colored/latest/colored/control/struct.ShouldColorize.html#method.from_env)
-- [`colored::control::SHOULD_COLORIZE`](https://docs.rs/colored/latest/colored/control/struct.SHOULD_COLORIZE.html)
-  (referencing this `lazy_static!` variable will initialize it, running the
-  vulnerable code)
-
-See <https://github.com/daboross/fern/issues/113> for further discussion.
-
----
-
 Logging configuration is recursively branched, like a fern: formatting, filters, and output can be applied recursively to match increasingly specific kinds of logging. Fern provides a builder-based configuration backing for rust's standard [log] crate.
 
 ```rust
diff --git a/src/lib.rs b/src/lib.rs
index 82e1221..2b31310 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -2,42 +2,6 @@
 #![doc(html_root_url = "https://docs.rs/fern/0.6.2")]
 //! Efficient, configurable logging in Rust.
 //!
-//! # fern 0.4.4, 0.5.\*, 0.6.\* security warning - `colored` feature + global allocator
-//!
-//! One of our downstream dependencies, [atty](https://docs.rs/atty/), through
-//! [colored], has an unsoundness issue:
-//! <https://rustsec.org/advisories/RUSTSEC-2021-0145.html>
-//!
-//! This shows up in one situation: if you're using `colored` (the crate, or our
-//! feature), and a custom global allocator.
-//!
-//! I will be releasing `fern` 0.7.0, removing `colored` as a dependency. This
-//! may add another color crate, or may just document usage of alternatives
-//! (such as [`owo-colors`](https://docs.rs/owo-colors/) +
-//! [`enable-ansi-support`](https://docs.rs/enable-ansi-support/0.2.1/enable_ansi_support/)).
-//!
-//! In the meantime, if you're using `#[global_allocator]`, I highly recommend
-//! removing the `fern/colored` feature.
-//!
-//! Or, for minimal code changes, you can also enable the `colored/no-colors`
-//! feature:
-//!
-//! ```text
-//! cargo add colored --features no-color
-//! ```
-//!
-//! With the `no-color` feature, the vulnerable code will still be present, but
-//! unless you use any of the following APIs manually, it will never be called:
-//!
-//! - [`colored::control::set_override`]
-//! - [`colored::control::unset_override`]
-//! - [`colored::control::ShouldColorize::from_env`]
-//! - [`colored::control::SHOULD_COLORIZE`][struct@colored::control::SHOULD_COLORIZE]
-//!   (referencing this `lazy_static!` variable will initialize it, running the
-//!   vulnerable code)
-//!
-//! See <https://github.com/daboross/fern/issues/113> for further discussion.
-//!
 //! # Depending on fern
 //!
 //! Ensure you require both fern and log in your project's `Cargo.toml`:

From b78b76e701c07350a438cd331db96693b874e139 Mon Sep 17 00:00:00 2001
From: David Ross <daboross@daboross.net>
Date: Sun, 20 Oct 2024 16:48:51 -0700
Subject: [PATCH 3/4] Add new security warning for the fixed soundness issue.

---
 README.md  | 15 +++++++++++++++
 src/lib.rs | 11 +++++++++++
 2 files changed, 26 insertions(+)

diff --git a/README.md b/README.md
index 47a2cc9..c759779 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,21 @@ fern
 
 Simple, efficient logging for [Rust].
 
+---
+
+## fern 0.4.4, 0.5.\*, 0.6.\* security warning - `colored` feature + global allocator
+
+One of our downstream dependencies, [atty](https://docs.rs/atty/), through
+[colored](https://docs.rs/colored/), has an unsoundness issue:
+<https://rustsec.org/advisories/RUSTSEC-2021-0145.html>.
+
+This shows up in one situation: if you're using `colored` 0.1.0 (the crate, or our
+feature), and a custom global allocator.
+
+Upgrade to `fern` 0.7.0, and `colored` 0.2.0 if you depend on it directly, to fix this issue.
+
+---
+
 Logging configuration is recursively branched, like a fern: formatting, filters, and output can be applied recursively to match increasingly specific kinds of logging. Fern provides a builder-based configuration backing for rust's standard [log] crate.
 
 ```rust
diff --git a/src/lib.rs b/src/lib.rs
index 2b31310..197a085 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -2,6 +2,17 @@
 #![doc(html_root_url = "https://docs.rs/fern/0.6.2")]
 //! Efficient, configurable logging in Rust.
 //!
+//! # fern 0.4.4, 0.5.\*, 0.6.\* security warning - `colored` feature + global allocator
+//!
+//! One of our downstream dependencies, [atty](https://docs.rs/atty/), through
+//! [colored](https://docs.rs/colored/), has an unsoundness issue:
+//! <https://rustsec.org/advisories/RUSTSEC-2021-0145.html>.
+//!
+//! This shows up in one situation: if you're using `colored` 0.1.0 (the crate, or our
+//! feature), and a custom global allocator.
+//!
+//! Upgrade to `fern` 0.7.0, and `colored` 0.2.0 if you depend on it directly, to fix this issue.
+//!
 //! # Depending on fern
 //!
 //! Ensure you require both fern and log in your project's `Cargo.toml`:

From f82c111a32468717d7b4202eb13d3d54f8f4530b Mon Sep 17 00:00:00 2001
From: David Ross <daboross@daboross.net>
Date: Sun, 20 Oct 2024 16:52:23 -0700
Subject: [PATCH 4/4] Update CHANGELOG.md

---
 CHANGELOG.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 66c3ab1..f3bb084 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,8 +2,10 @@ Unreleased
 ==========
 
 - Upgrade `colored` to version 2. This is a breaking change due to
-  `colored` being exposed in the public API of `fern`.
-- Remove security warning regarding `colored` since it's no longer an issue with this version.
+  `colored` being exposed in the public API of `fern`. (thanks [@faern] for
+  doing the boilerplate here!)
+- Remove most of the unsoundness warning, and update it to reflect fern 0.7.0
+  fixing the issue.
 
 0.6.2 (2023-03-23)
 ==================
@@ -434,3 +436,4 @@ First release, version 0.1.0.
 [@autarch]: https://github.com/autarch
 [@vorner]: https://github.com/vorner
 [@EasyPost]: https://github.com/EasyPost
+[@faern]: https://github.com/faern