fix: migrate off unsound serde_yml to serde_norway
serde_yml (RUSTSEC-2025-0068) and its libyml backend (RUSTSEC-2025-0067) are archived, unsound, and unmaintained with no patched version. Swap to serde_norway, the maintained serde_yaml fork on unsafe-libyaml-norway — a drop-in for our from_str / to_string / Value usage across persistence, undo, and the catalog parser. Clears both advisories (cargo audit / osv-scanner / grype all clean; serde_yml + libyml gone from the tree). No behaviour change; full suite 2151/0/1.
This commit is contained in:
claude@clouddev1
+4
-1
@@ -30,7 +30,10 @@ rand = "0.10.1"
|
||||
ratatui = "0.30.0"
|
||||
rusqlite = { version = "0.39.0", features = ["backup", "bundled", "column_metadata"] }
|
||||
serde = { version = "1.0.228", features = ["derive"] }
|
||||
serde_yml = "0.0.12"
|
||||
# Maintained fork of `serde_yaml` (the deprecated original). Replaces
|
||||
# `serde_yml`, which was archived as unsound + unmaintained
|
||||
# (RUSTSEC-2025-0068, and its `libyml` backend RUSTSEC-2025-0067).
|
||||
serde_norway = "0.9.42"
|
||||
sysinfo = { version = "0.39.0", default-features = false, features = ["system"] }
|
||||
tokio = { version = "1.52.2", features = ["full"] }
|
||||
tracing = "0.1.44"
|
||||
|
||||
Reference in New Issue
Block a user