Concerns with serde_yml

Open evilpie opened this issue 11 months ago • 3 comments

@dtolnay raised issues with serde_yaml on twitter/X: https://x.com/davidtolnay/status/1883906113428676938.

Jan 27 '25 17:01 evilpie

Seems this is specifically the serde_yml crate https://github.com/sebastienrousseau/serde_yml, which yea... but I'm not sure this is an actual vulnerability as much as it's just the admittedly frustrating tendency for some projects not to do very thorough vetting of their dependencies.

Jan 27 '25 18:01 cafkafk

I don't know what can be done about the debatable management of the crate, but at least the emitter issue is objectively a soundness issue and can be reported, no?

Jan 28 '25 08:01 SkiFire13

Yes, you can file an informational = "unsound" advisory for it

Jan 29 '25 13:01 tarcieri

Can be closed due to https://github.com/rustsec/advisory-db/pull/2397

Sep 12 '25 18:09 jayvdb