serde v1.0.172 and later include pre-compiled binaries which is a security hazard. So until the decision gets reverted, I believe it's worth to pin upper version of serde. This approach may cause issues if a different crate in someone's dependency tree will depend on a post-1.0.172 version of serde, but I think this issue is small enough when compared to the security concerns. Also, a number of other crates in the ecosystem follow this approach, so we are not alone.
serde v1.0.172and later include pre-compiled binaries which is a security hazard. So until the decision gets reverted, I believe it's worth to pin upper version ofserde. This approach may cause issues if a different crate in someone's dependency tree will depend on a post-1.0.172 version ofserde, but I think this issue is small enough when compared to the security concerns. Also, a number of other crates in the ecosystem follow this approach, so we are not alone.More information and discussion about the
serdechange can be found in https://github.com/serde-rs/serde/issues/2538.