oli/rdbms-playground
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: migrate off unsound serde_yml to serde_norway

Browse Source 
serde_yml (RUSTSEC-2025-0068) and its libyml backend
(RUSTSEC-2025-0067) are archived, unsound, and unmaintained with no
patched version. Swap to serde_norway, the maintained serde_yaml fork
on unsafe-libyaml-norway — a drop-in for our from_str / to_string /
Value usage across persistence, undo, and the catalog parser.

Clears both advisories (cargo audit / osv-scanner / grype all clean;
serde_yml + libyml gone from the tree). No behaviour change; full
suite 2151/0/1.
This commit is contained in:
claude@clouddev1
2026-06-02 14:34:34 +00:00
parent c9a92c9c20
commit 9e2372b039
6 changed files with 27 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/undo.rs
+2 -2
View File
@@ -412,7 +412,7 @@ impl SnapshotStore {
let path = self.index_path();
let mut index = if path.exists() {
let body = fs::read_to_string(&path).map_err(|e| io_err("read index", &path, e))?;
serde_yml::from_str(&body).map_err(|e| SnapshotError::Index {
serde_norway::from_str(&body).map_err(|e| SnapshotError::Index {
message: e.to_string(),
})?
} else {
@@ -437,7 +437,7 @@ impl SnapshotStore {
fn save_index(&self, index: &Index) -> Result<()> {
create_dir_all(&self.root)?;
let body = serde_yml::to_string(index).map_err(|e| SnapshotError::Index {
let body = serde_norway::to_string(index).map_err(|e| SnapshotError::Index {
message: e.to_string(),
})?;
let path = self.index_path();