Open
Description
Description
As of release 0.9.34, serde_yaml is deprecated and the repository has been archived.
Version
Lighthouse stable and unstable
Present Behaviour
Currently lighthouse depends on serde_yaml 0.9.34+deprecated
It is currently working and there are no vulnerabilities that I am aware of.
Steps to resolve
Consider alternatives.
At this stage, keeping serde_yaml may be preferable while alternatives become more mature and vetted.
Want to be careful to avoid a supply chain attack.
- https://crates.io/crates/serde_yaml_ng appears to be a sincere fork intended as a drop-in replacement
- the original maintainer of
serde_yamlhas highlighted limitations with the existing libyaml backend (unmaintained) here, stating that an improved backend would be a pure rust implementation, or a close translation of libfyaml C code- Apparently libyaml doesn't support Yaml 1.2 properly, but I don't know much about that
- the original maintainer of
- https://github.com/saphyr-rs/saphyr is a recently created project based on yaml-rust (that is no longer maintained)
- They also maintain a yaml_rust2 intended to be backwards compatible
- It does not currently support serde, but intends to and it looks like that will eventually be in a
saphyr-serdecrate
- There's a
serde-ymlfork that has more downloads on crates.io but seems a bit suspicious and I'd recommend against it.