The latest version of this crate breaks cargo outdated by default, which is a much higher security risk than depending on the latest version of serde.
Cargo dependencies are made to specify which versions of a dependency your crate works with. Even if the latest serde had a major security vulnerability (which it doesn't have), that would not be a reason to lie about the real version requirements of this crate in Cargo.toml.
Please, let's not wreak havoc on the entire rust ecosystem !
I understand how you probably feel about the change in serde, but let's not make things worse, please !
jhpratt
commented
1 year ago
The latest version of this crate breaks
cargo outdatedby default, which is a much higher security risk than depending on the latest version of serde.Cargo dependencies are made to specify which versions of a dependency your crate works with. Even if the latest serde had a major security vulnerability (which it doesn't have), that would not be a reason to lie about the real version requirements of this crate in Cargo.toml.
Please, let's not wreak havoc on the entire rust ecosystem !
I understand how you probably feel about the change in serde, but let's not make things worse, please !