advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard

Published 20 hours ago verified publisher icon rustsec

serde_yaml is unmaintained

Open jayvdb opened this issue 1 year ago • 4 comments

https://crates.io/crates/serde_yaml latest version is "v0.9.34+deprecated" - uploaded March 2024

Repo https://github.com/dtolnay/serde-yaml was also archived.

Forks:

  • ~~https://github.com/sebastienrousseau/serde_yml/commits/master/ - 110 commits - uses https://crates.io/crates/libyml instead of also unmaintained unsafe-libyaml~~ (see https://github.com/rustsec/advisory-db/issues/2212)
  • https://crates.io/crates/serde_yaml_ng - ~30 commits / quite active at https://github.com/acatton/serde-yaml-ng/commits/master/
  • https://crates.io/crates/serde_norway - ~30 commits / quite active at https://github.com/cafkafk/serde-norway , however states that they are not committed to maintaining long term
  • https://crates.io/crates/serde_yaml_ok - one enhancement at https://github.com/mkovaxx/serde-yaml-ok/commits/main/
  • https://github.com/chhe/serde-yaml - branches of 0.8 instead of 0.9 - @chhe , what was the reason for doing this?

Alternatives:

  • https://crates.io/crates/serde_yaml2 , project started in April 2024 - https://github.com/zim32/serde_yaml2/commits/main/ ; uses https://github.com/Ethiraric/yaml-rust2 instead of libyaml - Incompatibilities being collated at https://github.com/zim32/serde_yaml2/issues/2
  • https://github.com/KmolYuan/yaml-peg-rs - no yaml dependency used
  • https://github.com/qiuchengxuan/serde-yaml-core - not on crates.io - "serde-yaml for no_std programs"
  • https://github.com/s1s5/serde-yaml - another attempt at using yaml-rust2
  • https://github.com/g-plane/pretty_yaml - no yaml dependency used

jayvdb avatar Nov 13 '24 23:11 jayvdb

https://crates.io/crates/serde_norway - ~30 commits / quite active at https://github.com/cafkafk/serde-norway , however states that they are not committed to maintaining long term

Regarding this, I've decided to actually commit to maintaining it, since it has made it's way into too many projects I care about.

cafkafk avatar Dec 05 '24 15:12 cafkafk

See also #2212

evilpie avatar Jan 27 '25 17:01 evilpie

https://x.com/davidtolnay/status/1884351128332296594

Anything with a legacy from libyaml should be regarded as defective. It is no longer developed and there is a high severity security vulnerability that the maintainers have kept private for 10 months.

Sounds like an advisory should be done, especially for unsafe-libyaml. Probably also forks. @cafkafk ;-(

jayvdb avatar Jan 29 '25 01:01 jayvdb

To be fair, I know of a few other c libs that have embargoed vulns with worse lifetimes than that, that haven't been fixed yet to my knowledge, so I wouldn't put that against libyaml (the kernel will have vulns with lifetimes like this that are embargoed for years IIRC), but the being unmaintained part is a bigger problem.

cafkafk avatar Jan 29 '25 06:01 cafkafk

https://github.com/sdf-labs/dbt-serde-yaml is another alternative - it depends on unsafe-libyaml.

jayvdb avatar Sep 11 '25 04:09 jayvdb

https://github.com/romnn/yaml-spanned based on https://crates.io/crates/libyaml-safer

jayvdb avatar Sep 11 '25 04:09 jayvdb

I have created PR https://github.com/rustsec/advisory-db/pull/2397 for serde_yml (i.e. not serde_yaml which is PR https://github.com/rustsec/advisory-db/pull/2023 but has stalled)

jayvdb avatar Sep 11 '25 04:09 jayvdb

https://crates.io/crates/serde-saphyr created recently.

jayvdb avatar Nov 04 '25 19:11 jayvdb

Also https://github.com/saphyr-rs/saphyr/issues/66 suggests another crate coming.

jayvdb avatar Nov 04 '25 19:11 jayvdb

I've tried serde-saphyr, and it is by far the best so far of the crates which dont depend on libyaml under the hood. The parser in saphyr isnt as complete as libyaml - it failed on some of my very complete structures, but it handled average complexity data structures.

The interface is similar to serde_yaml, except it has two Error type for de and ser, instead of one combined. And https://github.com/bourumir-wyngs/serde-saphyr/issues/15 , but that was easy to workaround.

jayvdb avatar Nov 04 '25 23:11 jayvdb

I've now played around with https://crates.io/crates/yaml-spanned 's serde support. Its API is a bit different, and not well documented, so here is an example:

    yaml_spanned::from_value::<YourStructHere>(
        &yaml_spanned::from_str(&string)
            .map_err(serde::de::Error::custom)?
            .into(),
    )

jayvdb avatar Nov 05 '25 01:11 jayvdb

yaml-spanned and its underlying https://github.com/simonask/libyaml-safer provide identical parsing/deserialisation to serde_yaml.

However it doesnt provide to_string/serialisation. The workaround I went with is using let json = json5::to_string(value) , and then yaml_rust2::YamlLoader::load_from_str(json) and yaml_rust2::YamlEmitter to round-trip the json into nicely formatted YAML.

Note: Using json5 instead of serde_json is to avoid JSON limitations, e.g. https://github.com/serde-rs/json/issues/202

jayvdb avatar Nov 08 '25 21:11 jayvdb

I have created https://github.com/rustsec/advisory-db/pull/2459

I intentionally neglected to neither recommend serde_yaml forks with their own fork of unsafe-libyaml, like serde_norway, nor did I include them in the RUSTSEC as defective. They are maintained, even if there are security concerns in them. Hopefully users of serde_norway (etc) will soon have good alternatives to switch to.

jayvdb avatar Nov 16 '25 02:11 jayvdb