Avoid problematic serde
release
#421
Replies: 2 comments 1 reply
-
I've been watching this a bit on lobsters, reddit and github. My take is that it is not good and should be opt-in. The precompilation saves 10 seconds of compile time at a massive expense.
And there are 2 PRs that are worth looking at:
I think that right now, it's highly unlikely that the precompiled code currently in serde_derive is malicious or can be taken advantage of in some way that would be malicious (except in ways that would be significantly more impactful elsewhere - https://crates.io/crates/serde_derive/reverse_dependencies), so we don't need to rush for a solution and could instead wait and see how it pans out. |
Beta Was this translation helpful? Give feedback.
-
Looks like the issue is fixed in v1.0.184 by serde-rs/serde#2590 |
Beta Was this translation helpful? Give feedback.
-
There was a quite a bit of controversy around
serde
crate recently.For more context, take a look at serde-rs/serde#2538
Shortly, they started shipping precompiled binaries which poses a huge security risk. There isn't an official way to opt-out from this for now except pinning the
serde
version to1.0.172
as follows:As
ratatui
, should we take action? Pinging all maintainers/contributors for comment 💭Beta Was this translation helpful? Give feedback.
All reactions