Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dotenv crate is implicitly unmaintained #1254

Closed
JohnTitor opened this issue May 21, 2022 · 20 comments · Fixed by #1359
Closed

dotenv crate is implicitly unmaintained #1254

JohnTitor opened this issue May 21, 2022 · 20 comments · Fixed by #1359
Labels
Unmaintained Informational / Unmaintained

Comments

@JohnTitor
Copy link

JohnTitor commented May 21, 2022

As of May 21st, 2022, https://github.com/dotenv-rs/dotenv 's latest version is 0.15.0, which was published on October 22nd, 2019. And the latest commit is 3c1a77bc95821777e5ceb996c5e0b082f2a3ea38, which was pushed on Jun 27th, 2020.
On Dec 24th, 2021, someone asked the project status on Current maintenance state · Issue #74 · dotenv-rs/dotenv but there's no response from the maintainers.
I'm not sure how long "prolonged period" refers to, but this crate is a candidate for an "unmaintained" crate, I think. At least we should monitor how things are going there.

@8573
Copy link
Contributor

8573 commented May 21, 2022

I wonder whether pandemic time should count differently from non-pandemic time... anyway, I see that the maintainer appears to be ZoeyR, who is one of a number of Rustaceans who have vanished from Rust circles after going to work for a certain company (I suggested she wear telemetry gear so we could try to find out what happened to the others, but she just laughed 😉).

@est31: are you still in contact with ZoeyR?

@est31
Copy link

est31 commented May 21, 2022

Yes she's still alive and I had recent contact with her. I've sent her a DM on discord, let's see whether she reacts.

@JohnTitor
Copy link
Author

@est31 Any updates from them?

@est31
Copy link

est31 commented Jun 11, 2022

No reaction, I'm sorry.

@JohnTitor
Copy link
Author

Alright! Hmm, the situation seems complicated to me, given their GitHub activities, they aren't inactive but the crate maintenance is inactive...
I'd like to somehow notify the situation to users and thought reporting here would be a good option.

@tarcieri @Shnatsel Any thoughts on this?

@BlackHoleFox
Copy link
Contributor

BlackHoleFox commented Jun 11, 2022

The current guides on this say this:

Implicitly unmaintained: the author is incommunicado for a prolonged period of time and cannot advise as to a crate's status.

Contact attempts with the author made with no response. Ideally these attempts are made via a public GitHub issue, so that issue can be cited in an unmaintained crate advisory if need be. Unresponsiveness by the author over a period of 90 days is suggested before filing an advisory.

it also says 90 days for contact attempts, so imo this should wait longer.

@8573
Copy link
Contributor

8573 commented Jun 11, 2022

it also says 90 days for contact attempts, so imo this should wait longer.

I wouldn't oppose waiting longer if that would be less controversial, but a 90-day period has elapsed since

On Dec 24th, 2021, someone asked the project status on Current maintenance state · Issue #74 · dotenv-rs/dotenv

@est31
Copy link

est31 commented Jun 12, 2022

Has anyone tried contacting @sgrif ? They are listed as crates.io owner of the crate and also have write access on github. The dotenv crate has a lot of downloads (>1 million recent!) so it would be good if it were maintained, even if a maintainer change is necessary.

Also pinging @VictorKoenders as they have more contact to Zoey than me.

@VictorKoenders

This comment was marked as off-topic.

@est31
Copy link

est31 commented Jun 12, 2022

Please don't ping random people that are not involved with the project.

You are not directly involved but you have power to make progress on this issue. I'm very glad that at least you give any response at all, and am hopeful that you will be of help. One day you will probably be in the same shoes as the users here, who want to get fixes merged but they don't get merged because maintainers are unresponsive, e.g. for dotenv-rs/dotenv#72

I just want to avoid the more painful migration of the ecosystem to more maintained forks of the crate.

Anyways, I suggest people (edit: ONE person, not everyone) to contact sgrif via twitter DM as they seem to be active there, and because the biggest user of the dotenv crate is diesel, for which sgrif has successfully made a maintainership change.

I don't have much of a stake in this either I'm afraid.

@Dylan-DPC
Copy link

You are not directly involved but you have power to make progress on this issue.

If a person knows a maintainer, it doesn't give them the power to make any progress on the issue. I don't know about others but I wouldn't always want people in a personal circle to ping/ask/discuss about some open source maintainance. I don't see why Victor should be pulled into this issue.

@est31
Copy link

est31 commented Jun 12, 2022

FTR for "progress" i put the bar pretty low. I meant getting any reply at all even if it is "I don't have the time to do maintenance of this crate at the current moment" or something. Sometimes people genuinely don't notice if you ping them directly on github, don't see e-mails in their inbox, etc. I once had to ping a maintainer of a similarly widely used crate on another repo, and they were actually responsive and even explained to me why they are not merging PRs (i didn't even ask for a why, but ofc i was happy that I got it explained). I suppose they had turned off notifications from the main repo.

Such statements are genuinely helpful to assessing whether the community should switch to a more maintained fork or not. If I understand it correctly, rustsec is about to categorize dotenv as unmaintained, at which point, correct me if I'm wrong, it would end up causing warnings for way more people than just the ones in the personal circle of the dotenv maintainers (>500 direct reverse dependencies, but probably only a subset do rustsec db based warnings). If there is the chance that the maintainers still want to maintain it or give it to others, then it should be considered first. Ghosting creates this uncomfortable limbo state that is not very helpful to users at all.

Also I want to point out that Victor and Zoey have common open source projects (see bincode).

Anyways this is my last message in this thread, I don't want to get involved in this any further. I'm here because I was pinged myself (see above), and thought I could be of help. I wish the affected users good luck, I'm out.

@tarcieri
Copy link
Member

tarcieri commented Jun 12, 2022

Marking any crate with millions of downloads as unmaintained is going to be quite noisy, and in that regard if anything I'd prefer people be overcommunicative with maintainers and adjacent when doing due diligence on a particular crate's status.

Likewise someone who is a crates.io owner for a particular crate is definitely not "random people" and I have marked comments to that effect off topic.

Keep discussion in this thread on the topic of determining dotenv's maintenance status, please.

@Hezuikn
Copy link

Hezuikn commented Jun 19, 2022

the maintainer appears to be ZoeyR, who is one of a number of Rustaceans who have vanished from Rust circles after going to work for a certain company (I suggested she wear telemetry gear so we could try to find out what happened to the others, but she just laughed 😉 ).

scary

@est31
Copy link

est31 commented Jun 24, 2022

@Hezuikn you are not being helpful. Also, for the record, the claim you quoted was wrong, she actually is still in Rust circles, just moved to different ones.

@pinkforest pinkforest added the Unmaintained Informational / Unmaintained label Jul 31, 2022
@pinkforest
Copy link
Contributor

pinkforest commented Aug 14, 2022

Do we have alternatives / forks ?

There is a fork now called dotenvy which might be actionable fix for the people if we were to flag unmaintained:
dotenv-rs/dotenv#74 (comment)

dotenv-rs/dotenv#79
https://github.com/allan2/dotenvy/
https://crates.io/crates/dotenvy

@allan2 @hoijui

dotenv-rs/dotenv#74 (comment)
dotenv-rs/dotenv#74 (comment)

However dotenvy hasn't had a release since March - repo was updated 9 days ago.

So that we don't have another situation like this -

Would it be helpful to have more than one maintainer for it or have a backup plan ?

Note: I would be slightly hesistant to proceed with unmaintained when the crate says it is intended to be used only in test / dev env - nonetheless there are associated monorepo crates which don't mention this and are used elsewhere

Cheers

@Dylan-DPC
Copy link

i am ready to help maintain it if needed and form a team to increase the bus factor if either the old maintainers or the envy ones are interested

@allan2
Copy link

allan2 commented Aug 14, 2022

@Dylan-DPC I'm the maintainer of dotenvy.

Thank you for your interest on this topic. I've invited you to the repo.

@Dylan-DPC
Copy link

thanks i got it

@allan2
Copy link

allan2 commented Aug 23, 2022

This reply is based on my comment on #1359.

However dotenvy hasn't had a release since March - repo was updated 9 days ago.

Release v0.15.2 was put out today.

So that we don't have another situation like this -

Would it be helpful to have more than one maintainer for it or have a backup plan ?

@Dylan-DPC was added to the repo on Aug 14. I'm still kicking but I appreciate your thoughts of contingency ;)

Note: I would be slightly hesistant to proceed with unmaintained when the crate says it is intended to be used only in test / dev env - nonetheless there are associated monorepo crates which don't mention this and are used elsewhere

As stated on the README, dotenvy is convenient for dev environments. This does not mean that it is not intended for prod.
Some may want to use .env files in dev only, preferring to set env vars in the VM or container in prod. Others may wish to use .env in both dev and prod environments. It's up to the preference of the developer.

I created the dotenvy fork because I noticed that dotenv-rs was inactive.

Happy to help improve dotenv on Rust ~

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Unmaintained Informational / Unmaintained
Projects
None yet
Development

Successfully merging a pull request may close this issue.

10 participants