Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

serde_yaml package is deprecated and no longer maintained #6262

Open
gnattishness opened this issue Aug 15, 2024 · 1 comment
Open

serde_yaml package is deprecated and no longer maintained #6262

gnattishness opened this issue Aug 15, 2024 · 1 comment
Labels
code-quality dependencies Pull requests that update a dependency file security

Comments

@gnattishness
Copy link
Member

gnattishness commented Aug 15, 2024
edited
Loading

Description

As of release 0.9.34, serde_yaml is deprecated and the repository has been archived.

Version

Lighthouse stable and unstable

Present Behaviour

Currently lighthouse depends on serde_yaml 0.9.34+deprecated
It is currently working and there are no vulnerabilities that I am aware of.

Steps to resolve

Consider alternatives.
At this stage, keeping serde_yaml may be preferable while alternatives become more mature and vetted.
Want to be careful to avoid a supply chain attack.

  • https://crates.io/crates/serde_yaml_ng appears to be a sincere fork intended as a drop-in replacement
    • the original maintainer of serde_yaml has highlighted limitations with the existing libyaml backend (unmaintained) here, stating that an improved backend would be a pure rust implementation, or a close translation of libfyaml C code
      • Apparently libyaml doesn't support Yaml 1.2 properly, but I don't know much about that
  • https://github.com/saphyr-rs/saphyr is a recently created project based on yaml-rust (that is no longer maintained)
    • They also maintain a yaml_rust2 intended to be backwards compatible
    • It does not currently support serde, but intends to and it looks like that will eventually be in a saphyr-serde crate
  • There's a serde-yml fork that has more downloads on crates.io but seems a bit suspicious and I'd recommend against it.
@gnattishness
Copy link
Member Author

About the serde-yml fork and related libyml that seem dodgy and suspicious:

@michaelsproul michaelsproul added code-quality security dependencies Pull requests that update a dependency file labels Aug 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
code-quality dependencies Pull requests that update a dependency file security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gnattishness @michaelsproul