Replace `yaml-rust` with `yaml-rust2` in order to not be affected by `RUSTSEC-2024-0320`

trishume / syntect

Rust library for syntax highlighting using Sublime Text syntax definitions.

https://docs.rs/syntect

MIT License

1.85k stars 130 forks source link

Replace `yaml-rust` with `yaml-rust2` in order to not be affected by `RUSTSEC-2024-0320` #537

Open d3rpp opened 2 months ago

d3rpp commented 2 months ago

yaml-rust appears to be unmaintained, however, the community has published an actively maintained fork under the name of yaml-rust2, It is a drop in replacement.

Details on "Vulnerability" - RUSTSEC-2024-0320.

Assuming this isn't a duplicate (I could not find this being brought up before in this issues list), I will submit a PR dropping this in, it's a single line so assuming the developers of yaml-rust2 didn't change the API, shouldn't be an issue.

d3rpp commented 2 months ago

Update: it appears, yaml-rust isn't being used in the crate at all?

I'll submit a PR to run the update regardless, though it may be worth looking into removing it all together since the dependency doesn't seem to be referenced in the code at all.

CosmicHorrorDev commented 2 months ago

Update: it appears, yaml-rust isn't being used in the crate at all?

It's used throughout this file

https://github.com/trishume/syntect/blob/de715e5a8194ecaf0d0d78fbdd97add54277ffbd/src/parsing/yaml_load.rs#L8-L9

d3rpp commented 2 months ago

Update: it appears, yaml-rust isn't being used in the crate at all?

It's used throughout this file

https://github.com/trishume/syntect/blob/de715e5a8194ecaf0d0d78fbdd97add54277ffbd/src/parsing/yaml_load.rs#L8-L9

Ah, my apologies