Context
serde_yaml (0.9.x) is used heavily throughout jetpack — 562 references across 34 files, leaning on the dynamic Value/Mapping API (not just from_str). The crate is now deprecated by its author (final release 0.9.34+deprecated).
Security status
- No actionable advisory against
serde_yaml itself. The one historical advisory, RUSTSEC-2018-0005 (DoS via self-referencing YAML alias), was fixed long ago and does not affect the 0.9.x line we are on. cargo audit does not flag it.
- Deprecation is a maintenance signal, not a vulnerability. There is no urgency.
Successor landscape (all imperfect today)
serde_yml — the often-cited "official successor", but it is archived and carries RUSTSEC-2025-0068 (segfault). Do not migrate to this — it would trade a stable deprecated crate for an abandoned, vulnerable one.serde_yaml_ng — a community fork, true drop-in (same serde_yaml:: module path via a Cargo.toml package = rename → zero source changes). No advisory, but its last release is ~2 years old.- No clearly-healthy, actively-maintained successor exists yet.
Recommendation
Leave serde_yaml in place for now (stable, not vulnerable) and evaluate a maintained successor when one is clearly healthy. If/when we migrate, serde_yaml_ng's package = rename makes it a zero-source-change mechanical switch — but that should wait until that crate (or a better option) is actively maintained again.
This issue tracks the decision; no code change is required today.
Context
serde_yaml(0.9.x) is used heavily throughout jetpack — 562 references across 34 files, leaning on the dynamicValue/MappingAPI (not justfrom_str). The crate is now deprecated by its author (final release0.9.34+deprecated).Security status
serde_yamlitself. The one historical advisory, RUSTSEC-2018-0005 (DoS via self-referencing YAML alias), was fixed long ago and does not affect the 0.9.x line we are on.cargo auditdoes not flag it.Successor landscape (all imperfect today)
serde_yml— the often-cited "official successor", but it is archived and carries RUSTSEC-2025-0068 (segfault). Do not migrate to this — it would trade a stable deprecated crate for an abandoned, vulnerable one.serde_yaml_ng— a community fork, true drop-in (sameserde_yaml::module path via aCargo.tomlpackage =rename → zero source changes). No advisory, but its last release is ~2 years old.Recommendation
Leave
serde_yamlin place for now (stable, not vulnerable) and evaluate a maintained successor when one is clearly healthy. If/when we migrate,serde_yaml_ng'spackage =rename makes it a zero-source-change mechanical switch — but that should wait until that crate (or a better option) is actively maintained again.This issue tracks the decision; no code change is required today.