RustCrypto / PAKEs

Password-Authenticated Key Agreement protocols
105 stars 34 forks source link

Pin upper version of serde to <1.0.172 #145

Closed newpavlov closed 1 year ago

newpavlov commented 1 year ago

serde v1.0.172 and later include pre-compiled binaries which is a security hazard. So until the decision gets reverted, I believe it's worth to pin upper version of serde. This approach may cause issues if a different crate in someone's dependency tree will depend on a post-1.0.172 version of serde, but I think this issue is small enough when compared to the security concerns. Also, a number of other crates in the ecosystem follow this approach, so we are not alone.

More information and discussion about the serde change can be found in https://github.com/serde-rs/serde/issues/2538.