oli/rdbms-playground
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: migrate off unsound serde_yml to serde_norway

Browse Source 
serde_yml (RUSTSEC-2025-0068) and its libyml backend
(RUSTSEC-2025-0067) are archived, unsound, and unmaintained with no
patched version. Swap to serde_norway, the maintained serde_yaml fork
on unsafe-libyaml-norway — a drop-in for our from_str / to_string /
Value usage across persistence, undo, and the catalog parser.

Clears both advisories (cargo audit / osv-scanner / grype all clean;
serde_yml + libyml gone from the tree). No behaviour change; full
suite 2151/0/1.
This commit is contained in:
claude@clouddev1
2026-06-02 14:34:34 +00:00
parent c9a92c9c20
commit 9e2372b039
6 changed files with 27 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/persistence/migrations.rs
+1 -1
View File
@@ -281,7 +281,7 @@ fn read_version(body: &str) -> Result<u32, MigrateError> {
struct VersionOnly {
version: u32,
}
let v: VersionOnly = serde_yml::from_str(body).map_err(|e| {
let v: VersionOnly = serde_norway::from_str(body).map_err(|e| {
MigrateError::VersionParse(e.to_string())
})?;
Ok(v.version)
src/persistence/yaml.rs
+4 -4
View File
@@ -1,5 +1,5 @@
//! `project.yaml` writer (hand-rolled, ADR-0015 §3) and
//! reader (`serde_yml`, ADR-0015 §7).
//! reader (`serde_norway`, ADR-0015 §7).
//!
//! The schema YAML uses a small, fixed set of structures —
//! tables, columns, relationships — and the values it carries
@@ -7,7 +7,7 @@
//! the fixed `Type` enum, action names from `ReferentialAction`).
//! Hand-rolling the writer avoids pulling a YAML serializer
//! dep just for the write path; the read path uses
//! `serde_yml` because we need to handle whatever the user
//! `serde_norway` because we need to handle whatever the user
//! (or a future migrator, or a hand-edit) puts in there.
//
// `pub(crate)` items in this private submodule are
@@ -268,7 +268,7 @@ const fn is_safe_yaml_char(c: char) -> bool {
/// fatal banner per ADR-0015 §8.
pub(crate) fn parse_schema(body: &str) -> Result<SchemaSnapshot, YamlError> {
let raw: RawProject =
serde_yml::from_str(body).map_err(|e| YamlError::Syntax(e.to_string()))?;
serde_norway::from_str(body).map_err(|e| YamlError::Syntax(e.to_string()))?;
if raw.version != 1 {
return Err(YamlError::UnsupportedVersion(raw.version));
}
@@ -351,7 +351,7 @@ pub(crate) fn parse_schema(body: &str) -> Result<SchemaSnapshot, YamlError> {
/// unparseable body for the same reason.
#[must_use]
pub(super) fn parse_stored_mode(body: &str) -> Option<Mode> {
let raw: RawProject = serde_yml::from_str(body).ok()?;
let raw: RawProject = serde_norway::from_str(body).ok()?;
raw.project.mode.as_deref().and_then(Mode::from_keyword)
}