| 13 Sep 2022 |
 hexa | https://github.com/matrix-org/matrix-rust-sdk | 12:48:09 |
 @pacien:pacien.net | and matrix-sdk-crypto-nodejs,
and napi-rs,
and maybe more… | 12:48:23 |
| hexa | yeah, but ideally I won't have to come up with that during a security update | 12:49:47 |
| hexa | and ultimately maintainers should take care of such an endeavour | 12:50:01 |
| hexa | nix-repl> matrix-appservice-irc.meta.maintainers
[ ]
| 12:50:22 |
| hexa | https://github.com/NixOS/nixpkgs/pull/191065 | 12:52:02 |
| hexa | roast me | 12:52:02 |
| hexa | piegames: so at least you are still codeowner 😄 | 13:04:00 |
 f0x | oof | 13:06:01 |
| f0x | fwiw pinning the resolution is a working patch too | 13:06:13 |
| hexa | but that is pretty much downgrading the dependency? | 13:07:40 |
| hexa | I have neither time nor expertise to evaluate possible breakages before they hit production | 13:08:07 |
| f0x | In reply to @hexa:lossy.network
but that is pretty much downgrading the dependency? yeah, so it doesn't depend on the rust stuff | 13:08:41 |
| f0x | and the bridge uses none of the crypto stuff anyways | 13:08:54 |
| f0x | but fair, yeah | 13:09:00 |
| hexa | wow 😕 | 13:09:06 |
| f0x | it's a dependency downgrade, but still in the supported semver by matrix-appservice-bridge^3.2.0 | 13:11:41 |
| f0x | * it's a dependency downgrade, but still in the supported version range by matrix-appservice-bridge^3.2.0 | 13:11:47 |
| hexa | I don't have a strong opinion in this case | 13:19:25 |
| hexa | I'm not sure if or when they will bump the lower end | 13:19:56 |
| hexa | both are band-aids | 13:20:11 |
| hexa | * both solutions are band-aids | 13:20:15 |
| f0x | yep.. | 13:20:38 |
| hexa | https://matrix.org/blog/2022/09/13/security-release-of-matrix-appservice-irc-0-35-0-high-severity | 16:25:22 |
| hexa | unstable-small has the bump fwiw | 16:25:29 |
| @pacien:pacien.net | In reply to @hexa:lossy.network
roast me (╯°□°)╯︵ ┻━┻
(ノಠ益ಠ)ノ✂️
https://github.com/NixOS/nixpkgs/pull/186316#discussion_r970080894 | 21:06:14 |
| hexa | Notkea: if you could try building the rust native thing, unless you're in a hurry | 21:07:23 |
| hexa | that would be neat | 21:07:29 |
| @pacien:pacien.net | I tried. This requires napi-rs, which requires Yarn v2, whose lock format isn't supported by our yarn2nix… | 21:08:05 |
| hexa | oh boy | 21:08:23 |
