net2 crate has been deprecated; use socket2 instead

The net2 crate has been deprecated
and users are encouraged to considered socket2 instead.

See advisory page for additional details.

dotenv is Unmaintained

dotenv by description is meant to be used in development or testing only.

Using this in production may or may not be advisable.

Alternatives

The below may or may not be feasible alternative(s):

• dotenvy

See advisory page for additional details.

In, last sequence diagram ( https://github.com/Alcibiades-Capital/quay/raw/master/docs/diagrams/mm_offer_trader_execute.png )
It should be "Case: market make offer, trader executes", but it shows "Case: market make offer, trader doesn't execute".

Potential segfault in the time crate

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

The affected functions from time 0.2.7 through 0.2.22 are:

• time::UtcOffset::local_offset_at
• time::UtcOffset::try_local_offset_at
• time::UtcOffset::current_local_offset
• time::UtcOffset::try_current_local_offset
• time::OffsetDateTime::now_local
• time::OffsetDateTime::try_now_local

The affected functions in time 0.1 (all versions) are:

• at
• at_utc
• now

Non-Unix targets (including Windows and wasm) are unaffected.

Patches

Pending a proper fix, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods.

Users and library authors with time in their dependency tree should perform cargo update, which will pull in the updated, unaffected code.

Users of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.

Workarounds

No workarounds are known.

References

time-rs/time#293

See advisory page for additional details.

Pipeline fails due to it not being there.

Motivation

Recently Opensea released Seaport Gossip, a P2P network for sharing Seaport orders.

I wanted to build my own rust client for it as a toy project, but saw the conversation in the Discord about rather upstreaming these changes to Quay. I'd love to help if possible, and so I'd like to know if there have been any discussions / efforts related to this, or if ti's entirely out of scope for the repo. If we wanna proceed, we could use this issue to track the changes needed.

Hi folks,

I'm the author of axum-sessions, which is a crate I see you all are using--I'm glad to see you've found it useful!

Over the course of the last year or so we've hit some roadblocks with our key dependency, async-session. The long and short of that is in order to unblock that and address some problems with axum-sessions's design, we've released a new crate which aims to replace axum-sessions: tower-sessions.

tower-sessions no longer relies on a third-party crate for its session implementation and this has allowed us to change its design to better fit tower and the broader tower ecosystem (i.e. axum). For instance, we no longer need writable and readable sessions, and have simplified the interface as a result.

I'd be curious if there's interest in migrating and am happy to help if so.

Maybe something like this:

https://github.com/davidB/axum-tracing-opentelemetry

Right now, as long as the user has established a SIWE session, they can create any order or listing. We should implement checks validating that the offers/listings being created are valid.

Data race when sending and receiving after closing a oneshot channel

If a tokio::sync::oneshot channel is closed (via the
oneshot::Receiver::close method), a data race may occur if the
oneshot::Sender::send method is called while the corresponding
oneshot::Receiver is awaited or calling try_recv.

When these methods are called concurrently on a closed channel, the two halves
of the channel can concurrently access a shared memory location, resulting in a
data race. This has been observed to cause memory corruption.

Note that the race only occurs when both halves of the channel are used
after the Receiver half has called close. Code where close is not used, or where the
Receiver is not awaited and try_recv is not called after calling close,
is not affected.

See tokio#4225 for more details.

See advisory page for additional details.

We need to authenticate users to verify that the own assets before create listings, or for other future functions requiring authn or authz

https://github.com/tokio-rs/axum/tree/main/examples/sessions

As we have a bidirectional MM gRPC, we should also support a bidirectional trader gRPC.

We have the session layer now and SIWE we can use to auth.

ansi_term is Unmaintained

The maintainer has adviced this crate is deprecated and will not
receive any maintenance.

The crate does not seem to have much dependencies and may or may not be ok to use as-is.

Last release seems to have been three years ago.

Possible Alternative(s)

The below list has not been vetted in any way and may or may not contain alternatives;

• anstyle
• nu-ansi-term
• yansi

See advisory page for additional details.

See: https://docs.opensea.io/v2.0/reference/retrieve-listings and https://docs.opensea.io/v2.0/reference/retrieve-offers

Migrating from actix -> axum is in line with getting everything running on the tokio runtime, as well as the ability to support a hybrid server for gRPC and http on the same port.

https://docs.rs/aide/latest/aide/axum/index.html

https://etherscan.io/address/0x000000000DaD0DE04D2B2D4a5A74581EBA94124A

https://mobile.twitter.com/stephanminkj/status/1579529197784993792

stdweb is unmaintained

The author of the stdweb crate is unresponsive.

Maintained alternatives:

• wasm-bindgen
• js-sys
• web-sys

See advisory page for additional details.

We need to add support for say mainnet and arbitrum.