Avoid problematic serde release

[orhun]

There was a quite a bit of controversy around serde crate recently.

For more context, take a look at serde-rs/serde#2538

Shortly, they started shipping precompiled binaries which poses a huge security risk. There isn't an official way to opt-out from this for now except pinning the serde version to 1.0.172 as follows:

serde = { version = "1.0.172", optional = true, features = ["derive"] }

As ratatui, should we take action? Pinging all maintainers/contributors for comment 💭

[joshka]

I've been watching this a bit on lobsters, reddit and github. My take is that it is not good and should be opt-in. The precompilation saves 10 seconds of compile time at a massive expense.

• POLL: Should `time` restrict the version of `serde` that is used? time-rs/time#611 (comment) has a really good nuanced view of the issue.

And there are 2 PRs that are worth looking at:

• Add derive_compiled feature to force compilation of serde_derive serde-rs/serde#2579
• Provide opt-out feature=from_source to use serde_derive source serde-rs/serde#2580

I think that right now, it's highly unlikely that the precompiled code currently in serde_derive is malicious or can be taken advantage of in some way that would be malicious (except in ways that would be significantly more impactful elsewhere - https://crates.io/crates/serde_derive/reverse_dependencies), so we don't need to rush for a solution and could instead wait and see how it pans out.

[orhun]

Thank you for the insight and references! I think the same, let's wait a bit for it to resolve. Wanted to bring this up either way for discussion!

[joshka]

Looks like the issue is fixed in v1.0.184 by serde-rs/serde#2590