Closed newpavlov closed 1 year ago
Isn't the offending binary in the serde_derive
crate?
Edit: oh, I see, serde
pins serde_derive
with =
serde
uses pinned version of serde_derive
, i.e. serde v1.0.172
uses strictly only serde_derive v1.0.172
@dignifiedquire I will merge this PR, but will not do a release and will leave it up to your discretion.
serde v1.0.172
and later include pre-compiled binaries which is a security hazard. So until the decision gets reverted, I believe it's worth to pin upper version ofserde
. This approach may cause issues if a different crate in someone's dependency tree will depend on a post-1.0.172 version ofserde
, but I think this issue is small enough when compared to the security concerns. Also, a number of other crates in the ecosystem follow this approach, so we are not alone.More information and discussion about the
serde
change can be found in https://github.com/serde-rs/serde/issues/2538.