fuwafuwalabs/padm_exporter
3
0
Fork 0
Code Issues 1 Pull requests Releases Activity

fix(deps): update rust crate serde_yml to 0.0.13 [security] #145

Merged
renovate-bot merged 1 commit from renovate/crate-serde_yml-vulnerability into master 2026-05-27 23:22:38 +00:00
Conversation 0 Commits 1 Files changed 2 +26 -32
renovate-bot commented 2026-05-27 23:22:26 +00:00
Member
Copy link

This PR contains the following updates:

Package Type Update Change
serde_yml (source) dependencies patch 0.0.120.0.13

serde_yml crate is unsound and unmaintained

GHSA-hhw4-xg65-fp2x / RUSTSEC-2025-0068

More information

Details

Using serde_yml::ser::Serializer.emitter can cause a segmentation fault, which is unsound.

The GitHub project for serde_yml was archived after unsoundness issues were raised.

If you rely on this crate, it is highly recommended switching to a maintained alternative.

Recommended alternatives
  • serde_norway - Maintained fork of serde_yaml, using unsafe-libyaml-norway
  • serde_yaml_ng - Maintained fork of serde_yaml, using unmaintained unsafe-libyaml
Incomplete pure Rust alternatives

These implementation do not rely on C libyaml.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

sebastienrousseau/serde_yml (serde_yml)

v0.0.13: — Final release (deprecation shim, RUSTSEC-2025-0068 fixed)

Compare Source

⚠️ Final release — serde_yml is deprecated

This is the final maintenance release of serde_yml. The crate is no longer under active development. 0.0.13 is a thin compatibility shim that lets existing call sites keep compiling while you migrate to one of the maintained alternatives listed below.

If you are reading this because cargo audit flagged your build, upgrading to 0.0.13 resolves RUSTSEC-2025-0068 structurally — see Security below.

TL;DR

  # Cargo.toml
- serde_yml = "0.0"
+ serde_yml = "0.0.13"

Your existing call sites compile unchanged. The compiler now emits a #[deprecated] warning at every use serde_yml::* import pointing at the migration guide. The C-FFI libyml parser is no longer in your dependency graph.

When you're ready to fully migrate, see the migration guide.

Security: RUSTSEC-2025-0068 fixed

RUSTSEC-2025-0068 (also GHSA-hhw4-xg65-fp2x) flagged every serde_yml ≤ 0.0.12 as unsound — the serde_yml::ser::Serializer.emitter field could cause a segmentation fault via the C-FFI libyaml parser.

0.0.13 removes the vulnerable surface entirely:

  • The C-FFI libyml dependency is gone from the graph.
  • serde_yml::ser::Serializer is now a re-export of a pure-Rust unit struct (pub struct Serializer;) with no emitter field — code that referenced .emitter no longer compiles, which is the desired outcome.
  • The backend (noyalib) enforces #![forbid(unsafe_code)] workspace-wide.

Verification:

cargo update -p serde_yml --precise 0.0.13
cargo tree -p serde_yml | grep libyml   # → no output

The RustSec advisory database PR adding patched = ["^0.0.13"] is pending review at rustsec/advisory-db#2915. Until it merges, cargo audit may still warn against 0.0.13 — the 0.0.13 release itself ships .cargo/audit.toml + deny.toml ignore entries so the self-referential warning doesn't block your own CI.

Maintained alternatives

Three crates are realistic destinations. Pick the one that fits.

Crate Migration shape Best fit
noyalib Drop-in via features = ["compat-serde-yaml"] Codebases that want a serde_yml-shaped API on a modern, safe, pure-Rust backend with zero call-site changes
serde-saphyr Path rename for typed code; no Value DOM Typed-deserialise workloads (from_str::<MyStruct>) — the 95 % case
yaml-rust2 Lower-level parser API, not serde-integrated Users who were on serde_yml::libyml / loader (removed in this shim)

Full per-destination mapping tables: MIGRATION.md.

The shim itself is backed by noyalib internally — that's an implementation detail, not a recommendation. Pick whichever alternative suits your codebase.

What's removed

The deep internal modules that previous versions exposed leaked implementation details of the C-FFI parser. They are gone in this release:

Removed Replacement
serde_yml::libyml::* (FFI bindings) yaml-rust2 for low-level parsing; otherwise n/a
serde_yml::loader::Loader yaml-rust2::YamlLoader or noyalib::load_all_as::<T>
serde_yml::de::{Event, Progress, DocumentAnchor} Covered by the alternatives' streaming APIs
serde_yml::ser::{SerializerConfig, State} noyalib::ser::Config
serde_yml::modules::path::Path Error::location() / Error::path() on any alternative
serde_yml::value::Index Value types in the alternatives implement Index<&str> / Index<usize> natively

Code calling only the public top-level surface (from_str / to_string / Value / Mapping / with::singleton_map*) needs no changes.

Behavioural notes worth knowing

Two intentionally safer defaults flow through the shim:

  1. Custom-tag scalars surface as Value::Tagged rather than being coerced to the inner string. Code exhaustively matching the previous six-variant Value enum needs either a Value::Tagged(_) arm or a call to Value::untag() / Value::untag_ref() before the match.
  2. YAML 1.2 strict booleans by default. country: NO stays "NO" (the YAML 1.2 fix to the "Norway problem") instead of becoming false.

MSRV

0.0.13 requires Rust 1.85.0 (the backend's MSRV); the previous releases required 1.56. Users who cannot move past 1.56 should pin serde_yml = "=0.0.12" and plan a migration window — but note that pinning 0.0.12 keeps RUSTSEC-2025-0068 in your audit feed.

Dependencies

The runtime dependency tree dropped from six crates to two:

serde_yml v0.0.13
├── noyalib v0.0.5
│   ├── indexmap, memchr, rustc-hash, serde, smallvec
└── serde v1.0.x

No libyml, no unsafe-libyaml, no serde_yaml 0.9. Downstream cargo audit / cargo deny runs stop flagging the unmaintained chain.

Documentation

  • README.md — overview, install, behavioural notes
  • MIGRATION.md — full per-destination mapping tables, removed-surface table, test/example coverage triage
  • SECURITY.md — RUSTSEC-2025-0068 status, supported-versions table, reporting policy
  • docs.rs/serde_yml/0.0.13 — API reference with #[deprecated] banner on every item

License

Dual-licensed under Apache 2.0 or MIT, at your option.

Thanks to everyone who used and contributed to serde_yml. The crate served its purpose; it's time to move on to maintained, safer alternatives.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Renovate Bot. The local configuration can be found in my Renovate Bot repository.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [serde_yml](https://serdeyml.com) ([source](https://github.com/sebastienrousseau/serde_yml)) | dependencies | patch | `0.0.12` → `0.0.13` | --- ### serde_yml crate is unsound and unmaintained [GHSA-hhw4-xg65-fp2x](https://github.com/advisories/GHSA-hhw4-xg65-fp2x) / [RUSTSEC-2025-0068](https://rustsec.org/advisories/RUSTSEC-2025-0068.html) <details> <summary>More information</summary> #### Details Using `serde_yml::ser::Serializer.emitter` can cause a segmentation fault, which is unsound. The GitHub project for `serde_yml` was archived after unsoundness issues were raised. If you rely on this crate, it is highly recommended switching to a maintained alternative. ##### Recommended alternatives - [`serde_norway`](https://crates.io/crates/serde_norway) - Maintained fork of `serde_yaml`, using `unsafe-libyaml-norway` - [`serde_yaml_ng`](https://crates.io/crates/serde_yaml_ng) - Maintained fork of `serde_yaml`, using unmaintained `unsafe-libyaml` ##### Incomplete pure Rust alternatives These implementation do not rely on C `libyaml`. - [`serde_yaml2`](https://crates.io/crates/serde_yaml2) - [`yaml-peg`](https://crates.io/crates/yaml-peg) #### Severity - CVSS Score: 6.9 / 10 (Medium) - Vector String: `CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N` #### References - [https://github.com/rustsec/advisory-db/issues/2395](https://github.com/rustsec/advisory-db/issues/2395) - [https://github.com/sebastienrousseau/serde_yml](https://github.com/sebastienrousseau/serde_yml) - [https://rustsec.org/advisories/RUSTSEC-2025-0068.html](https://rustsec.org/advisories/RUSTSEC-2025-0068.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-hhw4-xg65-fp2x) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>sebastienrousseau/serde_yml (serde_yml)</summary> ### [`v0.0.13`](https://github.com/sebastienrousseau/serde_yml/releases/tag/v0.0.13): — Final release (deprecation shim, RUSTSEC-2025-0068 fixed) [Compare Source](https://github.com/sebastienrousseau/serde_yml/compare/v0.0.12...v0.0.13) #### ⚠️ Final release — `serde_yml` is deprecated This is the **final maintenance release** of `serde_yml`. The crate is no longer under active development. `0.0.13` is a thin compatibility shim that lets existing call sites keep compiling while you migrate to one of the [maintained alternatives](#maintained-alternatives) listed below. If you are reading this because `cargo audit` flagged your build, **upgrading to `0.0.13` resolves [RUSTSEC-2025-0068](https://rustsec.org/advisories/RUSTSEC-2025-0068.html) structurally** — see [Security](#security) below. *** #### TL;DR ```diff # Cargo.toml - serde_yml = "0.0" + serde_yml = "0.0.13" ``` Your existing call sites compile unchanged. The compiler now emits a `#[deprecated]` warning at every `use serde_yml::*` import pointing at the migration guide. The C-FFI `libyml` parser is no longer in your dependency graph. When you're ready to fully migrate, see the [migration guide](https://github.com/sebastienrousseau/serde_yml/blob/master/MIGRATION.md). *** #### Security: RUSTSEC-2025-0068 fixed [RUSTSEC-2025-0068](https://rustsec.org/advisories/RUSTSEC-2025-0068.html) (also [GHSA-hhw4-xg65-fp2x](https://github.com/advisories/GHSA-hhw4-xg65-fp2x)) flagged every `serde_yml ≤ 0.0.12` as unsound — the `serde_yml::ser::Serializer.emitter` field could cause a segmentation fault via the C-FFI `libyaml` parser. **`0.0.13` removes the vulnerable surface entirely:** - The C-FFI `libyml` dependency is **gone** from the graph. - `serde_yml::ser::Serializer` is now a re-export of a pure-Rust unit struct (`pub struct Serializer;`) with **no `emitter` field** — code that referenced `.emitter` no longer compiles, which is the desired outcome. - The backend (`noyalib`) enforces `#![forbid(unsafe_code)]` workspace-wide. Verification: ```bash cargo update -p serde_yml --precise 0.0.13 cargo tree -p serde_yml | grep libyml # → no output ``` The RustSec advisory database PR adding `patched = ["^0.0.13"]` is pending review at [rustsec/advisory-db#2915](https://github.com/rustsec/advisory-db/pull/2915). Until it merges, `cargo audit` may still warn against `0.0.13` — the `0.0.13` release itself ships `.cargo/audit.toml` + `deny.toml` ignore entries so the self-referential warning doesn't block your own CI. *** #### Maintained alternatives Three crates are realistic destinations. Pick the one that fits. | Crate | Migration shape | Best fit | | :---------------------------------------------------------- | :--------------------------------------------- | :------------------------------------------------------------------------------------------------------------ | | **[`noyalib`](https://crates.io/crates/noyalib)** | Drop-in via `features = ["compat-serde-yaml"]` | Codebases that want a `serde_yml`-shaped API on a modern, safe, pure-Rust backend with zero call-site changes | | **[`serde-saphyr`](https://crates.io/crates/serde-saphyr)** | Path rename for typed code; **no `Value` DOM** | Typed-deserialise workloads (`from_str::<MyStruct>`) — the 95 % case | | **[`yaml-rust2`](https://crates.io/crates/yaml-rust2)** | Lower-level parser API, not serde-integrated | Users who were on `serde_yml::libyml` / `loader` (removed in this shim) | Full per-destination mapping tables: [`MIGRATION.md`](https://github.com/sebastienrousseau/serde_yml/blob/master/MIGRATION.md). The shim itself is backed by `noyalib` internally — that's an implementation detail, not a recommendation. Pick whichever alternative suits your codebase. *** #### What's removed The deep internal modules that previous versions exposed leaked implementation details of the C-FFI parser. They are **gone** in this release: | Removed | Replacement | | :------------------------------------------------- | :---------------------------------------------------------------------------------- | | `serde_yml::libyml::*` (FFI bindings) | `yaml-rust2` for low-level parsing; otherwise n/a | | `serde_yml::loader::Loader` | `yaml-rust2::YamlLoader` or `noyalib::load_all_as::<T>` | | `serde_yml::de::{Event, Progress, DocumentAnchor}` | Covered by the alternatives' streaming APIs | | `serde_yml::ser::{SerializerConfig, State}` | `noyalib::ser::Config` | | `serde_yml::modules::path::Path` | `Error::location()` / `Error::path()` on any alternative | | `serde_yml::value::Index` | `Value` types in the alternatives implement `Index<&str>` / `Index<usize>` natively | Code calling only the public top-level surface (`from_str` / `to_string` / `Value` / `Mapping` / `with::singleton_map*`) needs no changes. *** #### Behavioural notes worth knowing Two intentionally safer defaults flow through the shim: 1. **Custom-tag scalars surface as `Value::Tagged`** rather than being coerced to the inner string. Code exhaustively matching the previous six-variant `Value` enum needs either a `Value::Tagged(_)` arm or a call to `Value::untag()` / `Value::untag_ref()` before the match. 2. **YAML 1.2 strict booleans by default.** `country: NO` stays `"NO"` (the YAML 1.2 fix to the "Norway problem") instead of becoming `false`. *** #### MSRV `0.0.13` requires **Rust 1.85.0** (the backend's MSRV); the previous releases required 1.56. Users who cannot move past 1.56 should pin `serde_yml = "=0.0.12"` and plan a migration window — but note that pinning `0.0.12` keeps RUSTSEC-2025-0068 in your audit feed. *** #### Dependencies The runtime dependency tree dropped from six crates to two: ``` serde_yml v0.0.13 ├── noyalib v0.0.5 │ ├── indexmap, memchr, rustc-hash, serde, smallvec └── serde v1.0.x ``` No `libyml`, no `unsafe-libyaml`, no `serde_yaml` 0.9. Downstream `cargo audit` / `cargo deny` runs stop flagging the unmaintained chain. *** #### Documentation - [`README.md`](https://github.com/sebastienrousseau/serde_yml/blob/master/README.md) — overview, install, behavioural notes - [`MIGRATION.md`](https://github.com/sebastienrousseau/serde_yml/blob/master/MIGRATION.md) — full per-destination mapping tables, removed-surface table, test/example coverage triage - [`SECURITY.md`](https://github.com/sebastienrousseau/serde_yml/blob/master/.github/SECURITY.md) — RUSTSEC-2025-0068 status, supported-versions table, reporting policy - [docs.rs/serde\_yml/0.0.13](https://docs.rs/serde_yml/0.0.13) — API reference with `#[deprecated]` banner on every item *** #### License Dual-licensed under [Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0) or [MIT](https://opensource.org/licenses/MIT), at your option. **Thanks** to everyone who used and contributed to `serde_yml`. The crate served its purpose; it's time to move on to maintained, safer alternatives. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Renovate Bot](https://github.com/renovatebot/renovate). The local configuration can be found in my [Renovate Bot repository](https://git.apps.fuwafuwatime.moe/fuwafuwalabs/k8s-apps.fuwafuwatime.moe/src/branch/master/flux/apps/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTYuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5Ni4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
fix(deps): update rust crate serde_yml to 0.0.13 [security]
All checks were successful
ci/woodpecker/pull_request_closed/build Pipeline was successful
Details
ci/woodpecker/pr/build Pipeline was successful
Details
ci/woodpecker/push/build Pipeline was successful
Details
ci/woodpecker/cron/build Pipeline was successful
Details
364ac4268b
renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-05-27 23:22:26 +00:00
renovate-bot deleted branch renovate/crate-serde_yml-vulnerability 2026-05-27 23:22:39 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
fuwafuwalabs/padm_exporter!145
No description provided.