tarcieri
commented
1 year ago Isn't the offending binary in the serde_derive crate?
Edit: oh, I see, serde pins serde_derive with =
Closed newpavlov closed 1 year ago
tarcieri
commented
1 year ago Isn't the offending binary in the serde_derive crate?
Edit: oh, I see, serde pins serde_derive with =
newpavlov
commented
1 year ago serde uses pinned version of serde_derive, i.e. serde v1.0.172 uses strictly only serde_derive v1.0.172
newpavlov
commented
1 year ago @dignifiedquire I will merge this PR, but will not do a release and will leave it up to your discretion.
serde v1.0.172and later include pre-compiled binaries which is a security hazard. So until the decision gets reverted, I believe it's worth to pin upper version ofserde. This approach may cause issues if a different crate in someone's dependency tree will depend on a post-1.0.172 version ofserde, but I think this issue is small enough when compared to the security concerns. Also, a number of other crates in the ecosystem follow this approach, so we are not alone.More information and discussion about the
serdechange can be found in https://github.com/serde-rs/serde/issues/2538.