Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pin upper version of serde to <1.0.172 #1201

Merged
merged 4 commits into from
Aug 19, 2023
Merged

Pin upper version of serde to <1.0.172 #1201

merged 4 commits into from
Aug 19, 2023

Conversation

newpavlov
Copy link
Member

serde v1.0.172 and later include pre-compiled binaries which is a security hazard. So until the decision gets reverted, I believe it's worth to pin upper version of serde. This approach may cause issues if a different crate in someone's dependency tree will depend on a post-1.0.172 version of serde, but I think this issue is small enough when compared to the security concerns. Also, a number of other crates in the ecosystem follow this approach, so we are not alone.

tai64 depends on serde, but does not use the derive feature, so pinning is not needed there. serdect uses derive only for dev builds, but I've pinned the version just in case.

More information and discussion about the serde change can be found in serde-rs/serde#2538.

@tarcieri
Copy link
Member

@newpavlov have you confirmed this actually works when the derive feature is disabled?

@newpavlov
Copy link
Member Author

newpavlov commented Aug 19, 2023

I am not sure I understand your concern. The derive feature gets unconditionally enabled, if serde feature is on. serdect does not enable derive, but it's widely used by downstream crates and I am not sure if they do not enable it.

Running cargo update selects serde_derive v1.0.171. Annoyingly, it means that deps.rs reports serde as an outdated dependency.

@newpavlov newpavlov merged commit 5b15318 into master Aug 19, 2023
172 checks passed
@newpavlov newpavlov deleted the pin_serde branch August 19, 2023 17:09
@newpavlov
Copy link
Member Author

@tarcieri
I can not publish serdect since you are the only owner, so I will leave it to you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants