Serde_yaml is unmaintained

[gabevenberg]

serde_yaml is unmaintained, there are several active forks:

• https://github.com/sebastienrousseau/serde_yml seems to be AI maintained?
• https://github.com/acatton/serde-yaml-ng looks a little more trustworthy...

[LukasKalbertodt]

Hi there! Thanks for raising this issue, but I'm in fact aware of this. I also pondered if I should do anything in response. Two important notes:

• Being unmaintained doesn't mean it's unusable. As long as there aren't any unfixed security issues (which there aren't), it's fine to just continue using it. The code is not going bad.
• serde_yml should absolutely be avoided. Lots seems to be AI generated and there are many red flags about the author and the repo. Many of these issues were brought up, which is the reason issues are disabled on said repository.

Both of these points are discussed in this recent Reddit thread about this issue.

---

So my plans are as follows:

• Don't do anything near term, it's perfectly fine to keep using this.
• If serious issues with serde_yaml ever appear and if there is a good maintained alternative, I will switch to that.
• I've also been thinking about replacing it with some form of "strict yaml" library. YAML is criticized for having some weird features (that most people never heard of) and there have been efforts to define a sane subset of YAML (e.g. https://hitchdev.com/strictyaml/). This crate also does not support JSON, but only JSON5, as I believe that just JSON is a really bad format for config files (due to lack of comments). But yeah, I haven't really decided yet.

[gabevenberg]

Yah, no problem, I completely agree that in the near term serde_yaml is fine to use, but in the long term, especially if serde-yaml-ng migrates to libyaml-safer, it might be a compelling reason to switch.

[lu-zero]

serde_norway seems also an option.

[jgrund]

I haven't tried it yet, but serde-saphyr could be promising.