ssokolow
commented
1 year ago I'm not a cargo-deny expert, but I believe this is what you'd need for that.
[bans]
deny = [
{ name = "serde_derive", version = ">1.0.171" }
]Closed mksh closed 1 year ago
ssokolow
commented
1 year ago I'm not a cargo-deny expert, but I believe this is what you'd need for that.
[bans]
deny = [
{ name = "serde_derive", version = ">1.0.171" }
]
mksh
commented
1 year ago The versions of serde from 1.0.171 to 1.0.184 included do ship blob so can still be potentially harmful. This PR now pins serde to version where blob is removed, and adds cargo-deny check to verify that blob carrying versions of serde do not slip in as transitive dependencies.
Serde in version > 1.0.171 ships not reproducible and not signed binary, which is a security issue.
cc serde-rs/serde#2538