Skip to content

v0.4.0: Harder to crack πŸͺ¨

Choose a tag to compare

View all tags
@github-actions github-actions released this 26 Jun 22:13
· 4 commits to main since this release
Immutable release. Only release title and notes can be modified.
v0.4.0
f37e33a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

πŸͺ¨ A harder rock to crack.

v0.3.0 went looking for cracks. v0.4.0 went looking harder, and this time a few of the cracks turned out to be security holes.

We put YAMLRocks through two more independent review passes and taught the differential fuzzer to assert that every dumped document loads back identical, not merely that it does not crash. That flushed out a long tail of quiet correctness bugs: an emitter that could write a ... or a folded scalar that re-read as a document marker, a tagged sequence item that lost its tag in indentless mode, JSON Schema $ref that was silently ignored, a big integer over i64 that fell back to a string, base-60 floats that skipped their own validation. All fixed, all pinned with tests.

The same passes turned up real issues in the include system, and those got the most attention. A handful of tiny files that include each other can no longer fan out into billions of reads (a billion-laughs, but for !include). A misconfigured logger: line in your secrets.yaml no longer echoes into the logs. And writing includes back to disk now refuses to follow a symlink swapped in underneath it, so a write can never escape your config tree.

New along the way: dumps emits YAML 1.1-safe output under OPT_YAML_1_1, round-trip edits are quoted by the schema the document was loaded with, and JSON Schema $ref resolves against local pointers.

Still more than 10x faster than PyYAML's C loader on both load and dump. We benchmarked it after all of this, and the numbers did not budge.

pip install yamlrocks

πŸ“š Docs: https://yaml.rocks

Same rock. Harder to crack. πŸͺ¨

../Frenck

Β Β  Β Β  Β Β  Β Β  Β Β  Β Β  Β Β  Β Β 

Blogging my personal ramblings at frenck.dev

What's changed

✨ New features

  • ✨ Emit YAML 1.1-safe output under OPT_YAML_1_1 on dumps @frenck (#114)
  • ✨ Quote round-trip edits by the document's loaded schema @frenck (#115)
  • ✨ Resolve JSON Schema $ref against local pointers @frenck (#131)

πŸ› Bug fixes

  • πŸ› Treat an indented ---/... as a plain scalar, not a document marker @frenck (#112)
  • πŸ› Reject malformed block structure in the round-trip composer @frenck (#113)
  • ✨ Resolve round-trip projection under the document's loaded schema @frenck (#116)
  • πŸ› Report a missing relative include as not-found, not confinement @frenck (#122)
  • πŸ› Guard the remaining round-trip AST traversals against stack overflow @frenck (#125)
  • πŸ› Keep %TAG and %YAML directives on a round-trip edit @frenck (#127)
  • πŸ› Discover and navigate an anchor on a mapping key @frenck (#128)
  • πŸ› Keep a non-conforming explicit core tag as a string, not a wrong value @frenck (#126)
  • πŸ› Reject malformed verbatim tags and block scalar headers @frenck (#129)
  • πŸ› Compare full structure for schema const/enum on containers @frenck (#130)
  • πŸ› Reject invalid anchor names and tags before emitting them @frenck (#132)
  • πŸ› Validate base-60 segments of a sexagesimal float @frenck (#133)
  • πŸ› Snapshot a container before converting it to a round-trip node @frenck (#137)
  • πŸ› Resolve a non-decimal integer over i64 as a big integer @frenck (#138)
  • πŸ› Match PyYAML float and underscore rules under PyYAML-compat @frenck (#140)
  • πŸ› Emit an explicit null before a tagged mapping key @frenck (#141)
  • πŸ› Emit a non-first tagged mapping key in explicit-key form @frenck (#143)
  • πŸ› Quote a string that re-reads as a document-end marker @frenck (#144)
  • πŸ› Indent a tagged sequence item under its dash when indentless @frenck (#146)
  • πŸ› Keep a folded scalar off the start of a marker line @frenck (#145)
  • πŸ› Stop echoing a secrets.yaml logger value into the log @frenck (#150)
  • πŸ› Write includes back atomically without following a symlink @frenck (#151)
  • πŸ› Bound include expansion to stop a diamond-lattice fan-out @frenck (#149)

🧰 Maintenance

  • βœ… Check every document of a multi-document compliance case @frenck (#134)
  • πŸ‘· Build and test against the locked dependency graph @frenck (#136)
  • βœ… Require a proper decode error for invalid compliance cases @frenck (#139)
  • βœ… Bound an alias bomb by wall-clock time, not just "eventually" @frenck (#142)
  • βœ… Assert the fast emitter's output always re-parses in differential fuzz @frenck (#148)
  • πŸ‘· Pin exact cargo tool versions in CI @frenck (#152)

πŸ“š Documentation

  • πŸ“ Frame the three scalar schemas and the strict-1.1 y/n sharp edge @frenck (#119)
  • πŸ“ Fix documentation that did not match the API @frenck (#135)

⬆️ Dependency updates

8 changes

Contributors

frenck
Assets 3
Loading