chore(deps): replace serde_yml with serde_norway#357
Merged
branchseer merged 2 commits intomainfrom Apr 24, 2026
Merged
Conversation
serde_yml v0.0.12 triggers RUSTSEC-2025-0068 (unsound, unmaintained; project archived), which fails the Security Analysis cargo-deny advisories check. No safe upgrade of serde_yml is available, so switch to serde_yaml_ng — a drop-in maintained fork — per the advisory's recommended alternatives.
serde_norway is more actively maintained (Dec 2024 vs May 2024 last release), dual-licensed MIT/Apache-2.0, and ships its own unsafe-libyaml-norway fork so advisories against the C bindings can be patched without waiting on upstream.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
branchseer
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
The Security Analysis job (which runs
cargo deny checkwheneverCargo.lockchanges) fails on every PR that touchesCargo.lockbecauseserde_yml v0.0.12trips RUSTSEC-2025-0068: the crate is unsound (Serializer.emittercan segfault), the upstream project has been archived, and the advisory explicitly states "No safe upgrade is available". The only fix is to move offserde_yml. Example failure: run 24874266956 on #352.Summary
serde_yml = "0.0.12"withserde_norway = "0.9.42"in the workspaceCargo.tomland incrates/vite_workspace/Cargo.toml.vite_workspace::load_package_graphto callserde_norway::from_sliceforpnpm-workspace.yaml.Error::SerdeYml { serde_yml_error: serde_yml::Error }→Error::SerdeYaml { serde_yaml_error: serde_norway::Error }so the type stays generic over the backing crate.Cargo.lock(addsserde_norway,unsafe-libyaml-norway; dropsserde_yml,libyaml-safer, and their exclusive transitive deps).Why
serde_norwayover the other forksserde_yml's RUSTSEC advisory lists four alternatives; both maintainedserde_yamlforks (serde_norwayandserde_yaml_ng) are drop-in compatible.serde_norwayis more actively maintained (last release Dec 2024 vs May 2024), dual-licensed MIT/Apache-2.0, and ships its ownunsafe-libyaml-norwayfork of the C bindings so future advisories against libyaml can be patched without waiting on upstream.Test plan
cargo deny check --config <oxc security-action deny.toml>→advisories ok, bans ok, licenses ok, sources ok(wasunsound: RUSTSEC-2025-0068before)cargo test -p vite_workspace→ 79 passedcargo clippy -p vite_workspace --all-targets -- -D warnings→ clean