vim-just icon indicating copy to clipboard operation
vim-just copied to clipboard
verified publisher icon NoahTheDuke

`serde_yaml` is officially dead

Open laniakea64 opened this issue 2 years ago • 5 comments

Our ftdetect test runner currently uses serde_yaml for deserializing the test cases specifications. But this crate is now officially dead, with last version ending in "+deprecated".

The unsafe-libyaml crate (by the same author) that serde_yaml depends on, also appears no longer maintained.

I'm looking into possible replacements as I get the chance.

laniakea64 avatar Apr 05 '24 16:04 laniakea64

The option that looks the best to me is yaml-peg with its serde support feature. I tried it in a VM and got it working with a minor code change.

But, I'm missing some information to decide whether we should go for it. The Cargo dependencies I've previously introduced to vim-just were largely based on either the crate or its author having some tie to something we already trust - Rust itself, just, or our pre-existing dependencies. I was unable to find such tie for yaml-peg, and lack the expertise to audit this crate directly myself.

@NoahTheDuke What do you think about using yaml-peg?

laniakea64 avatar Apr 05 '24 19:04 laniakea64

I don't know that we need to change anything until our code starts breaking.

NoahTheDuke avatar Apr 05 '24 19:04 NoahTheDuke

Yeah this probably isn't urgent since this only happened on 24/25 March, not even 2 weeks ago, and our code still works fine with the old version of serde_yaml we're using, and cargo audit doesn't take issue with this. But these libraries use a lot of unsafe Rust, and long-term use of unmaintained unsafe Rust would seem unwise.

I'm fine with postponing this for now.

laniakea64 avatar Apr 05 '24 20:04 laniakea64

Another candidate exists now - https://crates.io/crates/serde_yaml2

laniakea64 avatar Apr 26 '24 10:04 laniakea64

Needed a serde YAML crate for something I was experimenting with, so decided to revisit this while at it.

Let's switch to serde_yaml2:

  • For us it is a drop-in replacement for serde_yaml.
  • One of the maintainers of its backend yaml-rust2 is trusted by a member of the rust-lang Github organization.
  • Its dependencies look more maintained than yaml-peg's dependencies
  • Quick grep found no unsafe Rust code in either serde_yaml2 or yaml-rust2, so if one of these were to become unmaintained, it'd likely be less concern than serde_yaml being unmaintained.
  • I can almost read serde_yaml2's code well enough to vet it, and it looks reasonable to me.
  • FWIW, dtolnay, Rust developer & serde_yaml maintainer, is watching the serde_yaml2 repository.

Also happened on something that has potential to become reason not to wait too long before replacing serde_yaml, but quick Internet search didn't find any sign of that potential being a reality at this time.

laniakea64 avatar May 27 '24 03:05 laniakea64

cargo audit doesn't take issue with this

There is now movement on filing an advisory about serde_yaml, so removing the "on hold" tag. If no objections to using serde_yaml2, I'll address this along when it's time to remove the once_cell dependency.

laniakea64 avatar Jul 28 '24 19:07 laniakea64