Mark serde_yml 0.0.13 as patched in RUSTSEC-2025-0068#2915
Open
sebastienrousseau wants to merge 1 commit into
Open
Mark serde_yml 0.0.13 as patched in RUSTSEC-2025-0068#2915sebastienrousseau wants to merge 1 commit into
sebastienrousseau wants to merge 1 commit into
Conversation
`serde_yml = "0.0.13"` is a deprecation shim that structurally
removes the unsound surface flagged by this advisory: the C-FFI
`libyml` parser is gone from the dependency graph entirely, and
`serde_yml::ser::Serializer` is now a re-export of a pure-Rust
unit struct (`pub struct Serializer;`) with no `emitter` field —
the specific API path documented in the advisory no longer exists.
The crate is still deprecated and not under active development —
every public item carries `#[deprecated]` — but the unsound surface
is no longer reachable. Adds `patched = ["^0.0.13"]` and a "Status
in 0.0.13" section to the advisory describing the structural fix
with verification commands.
Also extends the "Pure Rust alternatives" section to include three
currently-maintained pure-Rust crates:
- `noyalib` — full serde integration, `#![forbid(unsafe_code)]`,
drop-in via the `compat-serde-yaml` feature
- `serde-saphyr` — typed-deserialise wrapper around saphyr
- `yaml-rust2` — maintained pure-Rust parser primitives
Verification (anyone can run):
cargo tree -p serde_yml | grep libyml # → no output
grep 'pub struct Serializer' \
<(cargo doc -p serde_yml --no-deps && \
cat target/doc/serde_yml/struct.Serializer.html)
---
THE ARCHITECT ᛫ Sebastien Rousseau ᛫ https://sebastienrousseau.com
THE ENGINE ᛞ EUXIS ᛫ Enterprise Unified Execution Intelligence System ᛫ https://euxis.co
Assisted-by: Claude:claude-opus-4-7
renovate Bot
added a commit
to sdwilsh/jellyfin-remote-proxy
that referenced
this pull request
May 28, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [env_logger](https://redirect.github.com/rust-cli/env_logger) | dependencies | patch | `0.11.8` → `0.11.10` | | [futures](https://rust-lang.github.io/futures-rs) ([source](https://redirect.github.com/rust-lang/futures-rs)) | dependencies | patch | `0.3.31` → `0.3.32` | | [log](https://redirect.github.com/rust-lang/log) | dependencies | patch | `0.4.29` → `0.4.30` | | [serde_json](https://redirect.github.com/serde-rs/json) | dependencies | patch | `1.0.148` → `1.0.150` | | [serde_yml](https://redirect.github.com/sebastienrousseau/noyalib) ([source](https://redirect.github.com/sebastienrousseau/serde_yml)) | dependencies | patch | `0.0.12` → `0.0.13` | | [tokio](https://tokio.rs) ([source](https://redirect.github.com/tokio-rs/tokio)) | dependencies | minor | `1.48.0` → `1.52.3` | | [url](https://redirect.github.com/servo/rust-url) | dependencies | patch | `2.5.7` → `2.5.8` | --- ### Release Notes <details> <summary>rust-cli/env_logger (env_logger)</summary> ### [`v0.11.10`](https://redirect.github.com/rust-cli/env_logger/blob/HEAD/CHANGELOG.md#01110---2026-03-23) [Compare Source](https://redirect.github.com/rust-cli/env_logger/compare/v0.11.9...v0.11.10) ##### Internal - Update dependencies ### [`v0.11.9`](https://redirect.github.com/rust-cli/env_logger/blob/HEAD/CHANGELOG.md#0119---2026-02-11) [Compare Source](https://redirect.github.com/rust-cli/env_logger/compare/v0.11.8...v0.11.9) </details> <details> <summary>rust-lang/futures-rs (futures)</summary> ### [`v0.3.32`](https://redirect.github.com/rust-lang/futures-rs/blob/HEAD/CHANGELOG.md#0332---2026-02-15) [Compare Source](https://redirect.github.com/rust-lang/futures-rs/compare/0.3.31...0.3.32) - Bump MSRV of utility crates to 1.71. ([#​2989](https://redirect.github.com/rust-lang/futures-rs/issues/2989)) - Soft-deprecate `ready!` macro in favor of `std::task::ready!` added in Rust 1.64 ([#​2925](https://redirect.github.com/rust-lang/futures-rs/issues/2925)) - Soft-deprecate `pin_mut!` macro in favor of `std::pin::pin!` added in Rust 1.68 ([#​2929](https://redirect.github.com/rust-lang/futures-rs/issues/2929)) - Add `FuturesOrdered::clear` ([#​2927](https://redirect.github.com/rust-lang/futures-rs/issues/2927)) - Add `mpsc::*Receiver::recv` ([#​2947](https://redirect.github.com/rust-lang/futures-rs/issues/2947)) - Add `mpsc::*Receiver::try_recv` and deprecate `mpsc::*Receiver::::try_next` ([#​2944](https://redirect.github.com/rust-lang/futures-rs/issues/2944)) - Implement `FusedStream` for `sink::With` ([#​2948](https://redirect.github.com/rust-lang/futures-rs/issues/2948)) - Add `no_std` support for `shared` ([#​2868](https://redirect.github.com/rust-lang/futures-rs/issues/2868)) - Make `Mutex::new()` const ([#​2956](https://redirect.github.com/rust-lang/futures-rs/issues/2956)) - Add `#[clippy::has_significant_drop]` to guards ([#​2967](https://redirect.github.com/rust-lang/futures-rs/issues/2967)) - Remove dependency to `pin-utils` ([#​2929](https://redirect.github.com/rust-lang/futures-rs/issues/2929)) - Remove dependency on `num_cpus` ([#​2946](https://redirect.github.com/rust-lang/futures-rs/issues/2946)) - Performance improvements ([#​2983](https://redirect.github.com/rust-lang/futures-rs/issues/2983)) - Documentation improvements ([#​2925](https://redirect.github.com/rust-lang/futures-rs/issues/2925), [#​2926](https://redirect.github.com/rust-lang/futures-rs/issues/2926), [#​2940](https://redirect.github.com/rust-lang/futures-rs/issues/2940), [#​2971](https://redirect.github.com/rust-lang/futures-rs/issues/2971)) </details> <details> <summary>rust-lang/log (log)</summary> ### [`v0.4.30`](https://redirect.github.com/rust-lang/log/blob/HEAD/CHANGELOG.md#0430---2026-05-21) [Compare Source](https://redirect.github.com/rust-lang/log/compare/0.4.29...0.4.30) ##### What's Changed - Support capturing of `std::net` types by [@​KodrAus](https://redirect.github.com/KodrAus) in [#​724](https://redirect.github.com/rust-lang/log/pull/724) ##### New Contributors - [@​V0ldek](https://redirect.github.com/V0ldek) made their first contribution in [#​720](https://redirect.github.com/rust-lang/log/pull/720) - [@​woodruffw](https://redirect.github.com/woodruffw) made their first contribution in [#​723](https://redirect.github.com/rust-lang/log/pull/723) **Full Changelog**: <rust-lang/log@0.4.29...0.4.30> ##### Notable Changes - MSRV is bumped to 1.71.0 in [#​723](https://redirect.github.com/rust-lang/log/pull/723) </details> <details> <summary>serde-rs/json (serde_json)</summary> ### [`v1.0.150`](https://redirect.github.com/serde-rs/json/releases/tag/v1.0.150) [Compare Source](https://redirect.github.com/serde-rs/json/compare/v1.0.149...v1.0.150) - Reject non-string enum object keys ([#​1324](https://redirect.github.com/serde-rs/json/issues/1324), thanks [@​puneetdixit200](https://redirect.github.com/puneetdixit200)) ### [`v1.0.149`](https://redirect.github.com/serde-rs/json/releases/tag/v1.0.149) [Compare Source](https://redirect.github.com/serde-rs/json/compare/v1.0.148...v1.0.149) - Align arbitrary\_precision number strings with zmij's formatting ([#​1306](https://redirect.github.com/serde-rs/json/issues/1306), thanks [@​b41sh](https://redirect.github.com/b41sh)) </details> <details> <summary>sebastienrousseau/serde_yml (serde_yml)</summary> ### [`v0.0.13`](https://redirect.github.com/sebastienrousseau/serde_yml/releases/tag/v0.0.13): — Final release (deprecation shim, RUSTSEC-2025-0068 fixed) [Compare Source](https://redirect.github.com/sebastienrousseau/serde_yml/compare/v0.0.12...v0.0.13) ####⚠️ Final release — `serde_yml` is deprecated This is the **final maintenance release** of `serde_yml`. The crate is no longer under active development. `0.0.13` is a thin compatibility shim that lets existing call sites keep compiling while you migrate to one of the [maintained alternatives](#maintained-alternatives) listed below. If you are reading this because `cargo audit` flagged your build, **upgrading to `0.0.13` resolves [RUSTSEC-2025-0068](https://rustsec.org/advisories/RUSTSEC-2025-0068.html) structurally** — see [Security](#security) below. *** #### TL;DR ```diff # Cargo.toml - serde_yml = "0.0" + serde_yml = "0.0.13" ``` Your existing call sites compile unchanged. The compiler now emits a `#[deprecated]` warning at every `use serde_yml::*` import pointing at the migration guide. The C-FFI `libyml` parser is no longer in your dependency graph. When you're ready to fully migrate, see the [migration guide](https://redirect.github.com/sebastienrousseau/serde_yml/blob/master/MIGRATION.md). *** #### Security: RUSTSEC-2025-0068 fixed [RUSTSEC-2025-0068](https://rustsec.org/advisories/RUSTSEC-2025-0068.html) (also [GHSA-hhw4-xg65-fp2x](https://redirect.github.com/advisories/GHSA-hhw4-xg65-fp2x)) flagged every `serde_yml ≤ 0.0.12` as unsound — the `serde_yml::ser::Serializer.emitter` field could cause a segmentation fault via the C-FFI `libyaml` parser. **`0.0.13` removes the vulnerable surface entirely:** - The C-FFI `libyml` dependency is **gone** from the graph. - `serde_yml::ser::Serializer` is now a re-export of a pure-Rust unit struct (`pub struct Serializer;`) with **no `emitter` field** — code that referenced `.emitter` no longer compiles, which is the desired outcome. - The backend (`noyalib`) enforces `#![forbid(unsafe_code)]` workspace-wide. Verification: ```bash cargo update -p serde_yml --precise 0.0.13 cargo tree -p serde_yml | grep libyml # → no output ``` The RustSec advisory database PR adding `patched = ["^0.0.13"]` is pending review at [rustsec/advisory-db#2915](https://redirect.github.com/rustsec/advisory-db/pull/2915). Until it merges, `cargo audit` may still warn against `0.0.13` — the `0.0.13` release itself ships `.cargo/audit.toml` + `deny.toml` ignore entries so the self-referential warning doesn't block your own CI. *** #### Maintained alternatives Three crates are realistic destinations. Pick the one that fits. | Crate | Migration shape | Best fit | | :---------------------------------------------------------- | :--------------------------------------------- | :------------------------------------------------------------------------------------------------------------ | | **[`noyalib`](https://crates.io/crates/noyalib)** | Drop-in via `features = ["compat-serde-yaml"]` | Codebases that want a `serde_yml`-shaped API on a modern, safe, pure-Rust backend with zero call-site changes | | **[`serde-saphyr`](https://crates.io/crates/serde-saphyr)** | Path rename for typed code; **no `Value` DOM** | Typed-deserialise workloads (`from_str::<MyStruct>`) — the 95 % case | | **[`yaml-rust2`](https://crates.io/crates/yaml-rust2)** | Lower-level parser API, not serde-integrated | Users who were on `serde_yml::libyml` / `loader` (removed in this shim) | Full per-destination mapping tables: [`MIGRATION.md`](https://redirect.github.com/sebastienrousseau/serde_yml/blob/master/MIGRATION.md). The shim itself is backed by `noyalib` internally — that's an implementation detail, not a recommendation. Pick whichever alternative suits your codebase. *** #### What's removed The deep internal modules that previous versions exposed leaked implementation details of the C-FFI parser. They are **gone** in this release: | Removed | Replacement | | :------------------------------------------------- | :---------------------------------------------------------------------------------- | | `serde_yml::libyml::*` (FFI bindings) | `yaml-rust2` for low-level parsing; otherwise n/a | | `serde_yml::loader::Loader` | `yaml-rust2::YamlLoader` or `noyalib::load_all_as::<T>` | | `serde_yml::de::{Event, Progress, DocumentAnchor}` | Covered by the alternatives' streaming APIs | | `serde_yml::ser::{SerializerConfig, State}` | `noyalib::ser::Config` | | `serde_yml::modules::path::Path` | `Error::location()` / `Error::path()` on any alternative | | `serde_yml::value::Index` | `Value` types in the alternatives implement `Index<&str>` / `Index<usize>` natively | Code calling only the public top-level surface (`from_str` / `to_string` / `Value` / `Mapping` / `with::singleton_map*`) needs no changes. *** #### Behavioural notes worth knowing Two intentionally safer defaults flow through the shim: 1. **Custom-tag scalars surface as `Value::Tagged`** rather than being coerced to the inner string. Code exhaustively matching the previous six-variant `Value` enum needs either a `Value::Tagged(_)` arm or a call to `Value::untag()` / `Value::untag_ref()` before the match. 2. **YAML 1.2 strict booleans by default.** `country: NO` stays `"NO"` (the YAML 1.2 fix to the "Norway problem") instead of becoming `false`. *** #### MSRV `0.0.13` requires **Rust 1.85.0** (the backend's MSRV); the previous releases required 1.56. Users who cannot move past 1.56 should pin `serde_yml = "=0.0.12"` and plan a migration window — but note that pinning `0.0.12` keeps RUSTSEC-2025-0068 in your audit feed. *** #### Dependencies The runtime dependency tree dropped from six crates to two: ``` serde_yml v0.0.13 ├── noyalib v0.0.5 │ ├── indexmap, memchr, rustc-hash, serde, smallvec └── serde v1.0.x ``` No `libyml`, no `unsafe-libyaml`, no `serde_yaml` 0.9. Downstream `cargo audit` / `cargo deny` runs stop flagging the unmaintained chain. *** #### Documentation - [`README.md`](https://redirect.github.com/sebastienrousseau/serde_yml/blob/master/README.md) — overview, install, behavioural notes - [`MIGRATION.md`](https://redirect.github.com/sebastienrousseau/serde_yml/blob/master/MIGRATION.md) — full per-destination mapping tables, removed-surface table, test/example coverage triage - [`SECURITY.md`](https://redirect.github.com/sebastienrousseau/serde_yml/blob/master/.github/SECURITY.md) — RUSTSEC-2025-0068 status, supported-versions table, reporting policy - [docs.rs/serde\_yml/0.0.13](https://docs.rs/serde_yml/0.0.13) — API reference with `#[deprecated]` banner on every item *** #### License Dual-licensed under [Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0) or [MIT](https://opensource.org/licenses/MIT), at your option. **Thanks** to everyone who used and contributed to `serde_yml`. The crate served its purpose; it's time to move on to maintained, safer alternatives. </details> <details> <summary>tokio-rs/tokio (tokio)</summary> ### [`v1.52.3`](https://redirect.github.com/tokio-rs/tokio/releases/tag/tokio-1.52.3): Tokio v1.52.3 [Compare Source](https://redirect.github.com/tokio-rs/tokio/compare/tokio-1.52.2...tokio-1.52.3) ### 1.52.3 (May 8th, 2026) ##### Fixed - sync: fix underflow in mpsc channel `len()` ([#​8062]) - sync: notify receivers in mpsc `OwnedPermit::release()` method ([#​8075]) - sync: require that an `RwLock` has `max_readers != 0` ([#​8076]) - sync: return `Empty` from `try_recv()` when mpsc is closed with outstanding permits ([#​8074]) [#​8062]: https://redirect.github.com/tokio-rs/tokio/pull/8062 [#​8074]: https://redirect.github.com/tokio-rs/tokio/pull/8074 [#​8075]: https://redirect.github.com/tokio-rs/tokio/pull/8075 [#​8076]: https://redirect.github.com/tokio-rs/tokio/pull/8076 ### [`v1.52.2`](https://redirect.github.com/tokio-rs/tokio/releases/tag/tokio-1.52.2): Tokio v1.52.2 [Compare Source](https://redirect.github.com/tokio-rs/tokio/compare/tokio-1.52.1...tokio-1.52.2) ### 1.52.2 (May 4th, 2026) This release reverts the LIFO slot stealing change introduced in 1.51.0 ([#​7431]), due to [its performance impact][#​8065]. ([#​8100]) [#​7431]: https://redirect.github.com/tokio-rs/tokio/pull/7431 [#​8065]: https://redirect.github.com/tokio-rs/tokio/pull/8065 [#​8100]: https://redirect.github.com/tokio-rs/tokio/pull/8100 ### [`v1.52.1`](https://redirect.github.com/tokio-rs/tokio/releases/tag/tokio-1.52.1): Tokio v1.52.1 [Compare Source](https://redirect.github.com/tokio-rs/tokio/compare/tokio-1.52.0...tokio-1.52.1) ### 1.52.1 (April 16th, 2026) #### Fixed - runtime: revert [#​7757] to fix [a regression][#​8056] that causes `spawn_blocking` to hang ([#​8057]) [#​7757]: https://redirect.github.com/tokio-rs/tokio/pull/7757 [#​8056]: https://redirect.github.com/tokio-rs/tokio/pull/8056 [#​8057]: https://redirect.github.com/tokio-rs/tokio/pull/8057 ### [`v1.52.0`](https://redirect.github.com/tokio-rs/tokio/releases/tag/tokio-1.52.0): Tokio v1.52.0 [Compare Source](https://redirect.github.com/tokio-rs/tokio/compare/tokio-1.51.3...tokio-1.52.0) ### 1.52.0 (April 14th, 2026) #### Added - io: `AioSource::register_borrowed` for I/O safety support ([#​7992]) - net: add `try_io` function to `unix::pipe` sender and receiver types ([#​8030]) #### Added (unstable) - runtime: `Builder::enable_eager_driver_handoff` setting enable eager hand off of the I/O and time drivers before polling tasks ([#​8010]) - taskdump: add `trace_with()` for customized task dumps ([#​8025]) - taskdump: allow `impl FnMut()` in `trace_with` instead of just `fn()` ([#​8040]) - fs: support `io_uring` in `AsyncRead` for `File` ([#​7907]) #### Changed - runtime: improve `spawn_blocking` scalability with sharded queue ([#​7757]) - runtime: use `compare_exchange_weak()` in worker queue ([#​8028]) #### Fixed - runtime: overflow second half of tasks when local queue is filled instead of first half ([#​8029]) #### Documented - docs: fix typo in `oneshot::Sender::send` docs ([#​8026]) - docs: hide #\[tokio::main] attribute in the docs of `sync::watch` ([#​8035]) - net: add docs on `ConnectionRefused` errors with UDP sockets ([#​7870]) [#​7757]: https://redirect.github.com/tokio-rs/tokio/pull/7757 [#​7870]: https://redirect.github.com/tokio-rs/tokio/pull/7870 [#​7907]: https://redirect.github.com/tokio-rs/tokio/pull/7907 [#​7992]: https://redirect.github.com/tokio-rs/tokio/pull/7992 [#​8010]: https://redirect.github.com/tokio-rs/tokio/pull/8010 [#​8025]: https://redirect.github.com/tokio-rs/tokio/pull/8025 [#​8026]: https://redirect.github.com/tokio-rs/tokio/pull/8026 [#​8028]: https://redirect.github.com/tokio-rs/tokio/pull/8028 [#​8029]: https://redirect.github.com/tokio-rs/tokio/pull/8029 [#​8030]: https://redirect.github.com/tokio-rs/tokio/pull/8030 [#​8035]: https://redirect.github.com/tokio-rs/tokio/pull/8035 [#​8040]: https://redirect.github.com/tokio-rs/tokio/pull/8040 ### [`v1.51.3`](https://redirect.github.com/tokio-rs/tokio/releases/tag/tokio-1.51.3): Tokio v1.51.3 [Compare Source](https://redirect.github.com/tokio-rs/tokio/compare/tokio-1.51.2...tokio-1.51.3) ### 1.51.3 (May 8th, 2026) ##### Fixed - sync: fix underflow in mpsc channel `len()` ([#​8062]) - sync: notify receivers in mpsc `OwnedPermit::release()` method ([#​8075]) - sync: require that an `RwLock` has `max_readers != 0` ([#​8076]) - sync: return `Empty` from `try_recv()` when mpsc is closed with outstanding permits ([#​8074]) [#​8062]: https://redirect.github.com/tokio-rs/tokio/pull/8062 [#​8074]: https://redirect.github.com/tokio-rs/tokio/pull/8074 [#​8075]: https://redirect.github.com/tokio-rs/tokio/pull/8075 [#​8076]: https://redirect.github.com/tokio-rs/tokio/pull/8076 ### [`v1.51.2`](https://redirect.github.com/tokio-rs/tokio/releases/tag/tokio-1.51.2): Tokio v1.51.1 [Compare Source](https://redirect.github.com/tokio-rs/tokio/compare/tokio-1.51.1...tokio-1.51.2) ### 1.51.2 (May 4th, 2026) This release reverts the LIFO slot stealing change introduced in 1.51.0 ([#​7431]), due to [its performance impact][#​8065]. ([#​8100]) [#​7431]: https://redirect.github.com/tokio-rs/tokio/pull/7431 [#​8065]: https://redirect.github.com/tokio-rs/tokio/pull/8065 [#​8100]: https://redirect.github.com/tokio-rs/tokio/pull/8100 ### [`v1.51.1`](https://redirect.github.com/tokio-rs/tokio/releases/tag/tokio-1.51.1): Tokio v1.51.1 [Compare Source](https://redirect.github.com/tokio-rs/tokio/compare/tokio-1.51.0...tokio-1.51.1) ##### 1.51.1 (April 8th, 2026) ##### Fixed - sync: fix semaphore reopens after forget ([#​8021]) - net: surface errors from `SO_ERROR` on `recv` for UDP sockets on Linux ([#​8001]) ##### Fixed (unstable) - metrics: fix `worker_local_schedule_count` test ([#​8008]) - rt: do not leak fd when cancelling io\_uring open operation ([#​7983]) [#​7983]: https://redirect.github.com/tokio-rs/tokio/pull/7983 [#​8001]: https://redirect.github.com/tokio-rs/tokio/pull/8001 [#​8008]: https://redirect.github.com/tokio-rs/tokio/pull/8008 [#​8021]: https://redirect.github.com/tokio-rs/tokio/pull/8021 ### [`v1.51.0`](https://redirect.github.com/tokio-rs/tokio/releases/tag/tokio-1.51.0): Tokio v1.51.0 [Compare Source](https://redirect.github.com/tokio-rs/tokio/compare/tokio-1.50.0...tokio-1.51.0) ##### 1.51.0 (April 3rd, 2026) ##### Added - net: implement `get_peer_cred` on Hurd ([#​7989]) - runtime: add `tokio::runtime::worker_index()` ([#​7921]) - runtime: add runtime name ([#​7924]) - runtime: stabilize `LocalRuntime` ([#​7557]) - wasm: add wasm32-wasip2 networking support ([#​7933]) ##### Changed - runtime: steal tasks from the LIFO slot ([#​7431]) ##### Fixed - docs: do not show "Available on non-loom only." doc label ([#​7977]) - macros: improve overall macro hygiene ([#​7997]) - sync: fix `notify_waiters` priority in `Notify` ([#​7996]) - sync: fix panic in `Chan::recv_many` when called with non-empty vector on closed channel ([#​7991]) [#​7431]: https://redirect.github.com/tokio-rs/tokio/pull/7431 [#​7557]: https://redirect.github.com/tokio-rs/tokio/pull/7557 [#​7921]: https://redirect.github.com/tokio-rs/tokio/pull/7921 [#​7924]: https://redirect.github.com/tokio-rs/tokio/pull/7924 [#​7933]: https://redirect.github.com/tokio-rs/tokio/pull/7933 [#​7977]: https://redirect.github.com/tokio-rs/tokio/pull/7977 [#​7989]: https://redirect.github.com/tokio-rs/tokio/pull/7989 [#​7991]: https://redirect.github.com/tokio-rs/tokio/pull/7991 [#​7996]: https://redirect.github.com/tokio-rs/tokio/pull/7996 [#​7997]: https://redirect.github.com/tokio-rs/tokio/pull/7997 ### [`v1.50.0`](https://redirect.github.com/tokio-rs/tokio/releases/tag/tokio-1.50.0): Tokio v1.50.0 [Compare Source](https://redirect.github.com/tokio-rs/tokio/compare/tokio-1.49.0...tokio-1.50.0) ### 1.50.0 (Mar 3rd, 2026) ##### Added - net: add `TcpStream::set_zero_linger` ([#​7837]) - rt: add `is_rt_shutdown_err` ([#​7771]) ##### Changed - io: add optimizer hint that `memchr` returns in-bounds pointer ([#​7792]) - io: implement vectored writes for `write_buf` ([#​7871]) - runtime: panic when `event_interval` is set to 0 ([#​7838]) - runtime: shorten default thread name to fit in Linux limit ([#​7880]) - signal: remember the result of `SetConsoleCtrlHandler` ([#​7833]) - signal: specialize windows `Registry` ([#​7885]) ##### Fixed - io: always cleanup `AsyncFd` registration list on deregister ([#​7773]) - macros: remove (most) local `use` declarations in `tokio::select!` ([#​7929]) - net: fix `GET_BUF_SIZE` constant for `target_os = "android"` ([#​7889]) - runtime: avoid redundant unpark in current\_thread scheduler ([#​7834]) - runtime: don't park in `current_thread` if `before_park` defers waker ([#​7835]) - io: fix write readiness on ESP32 on short writes ([#​7872]) - runtime: wake deferred tasks before entering `block_in_place` ([#​7879]) - sync: drop rx waker when oneshot receiver is dropped ([#​7886]) - runtime: fix double increment of `num_idle_threads` on shutdown ([#​7910], [#​7918], [#​7922]) ##### Unstable - fs: check for io-uring opcode support ([#​7815]) - runtime: avoid lock acquisition after uring init ([#​7850]) ##### Documented - docs: update outdated unstable features section ([#​7839]) - io: clarify the behavior of `AsyncWriteExt::shutdown()` ([#​7908]) - io: explain how to flush stdout/stderr ([#​7904]) - io: fix incorrect and confusing `AsyncWrite` documentation ([#​7875]) - rt: clarify the documentation of `Runtime::spawn` ([#​7803]) - rt: fix missing quotation in docs ([#​7925]) - runtime: correct the default thread name in docs ([#​7896]) - runtime: fix `event_interval` doc ([#​7932]) - sync: clarify RwLock fairness documentation ([#​7919]) - sync: clarify that `recv` returns `None` once closed and no more messages ([#​7920]) - task: clarify when to use `spawn_blocking` vs dedicated threads ([#​7923]) - task: doc that task drops before `JoinHandle` completion ([#​7825]) - signal: guarantee that listeners never return `None` ([#​7869]) - task: fix task module feature flags in docs ([#​7891]) - task: fix two typos ([#​7913]) - task: improve the docs of `Builder::spawn_local` ([#​7828]) - time: add docs about auto-advance and when to use sleep ([#​7858]) - util: fix typo in docs ([#​7926]) [#​7771]: https://redirect.github.com/tokio-rs/tokio/pull/7771 [#​7773]: https://redirect.github.com/tokio-rs/tokio/pull/7773 [#​7792]: https://redirect.github.com/tokio-rs/tokio/pull/7792 [#​7803]: https://redirect.github.com/tokio-rs/tokio/pull/7803 [#​7815]: https://redirect.github.com/tokio-rs/tokio/pull/7815 [#​7825]: https://redirect.github.com/tokio-rs/tokio/pull/7825 [#​7828]: https://redirect.github.com/tokio-rs/tokio/pull/7828 [#​7833]: https://redirect.github.com/tokio-rs/tokio/pull/7833 [#​7834]: https://redirect.github.com/tokio-rs/tokio/pull/7834 [#​7835]: https://redirect.github.com/tokio-rs/tokio/pull/7835 [#​7837]: https://redirect.github.com/tokio-rs/tokio/pull/7837 [#​7838]: https://redirect.github.com/tokio-rs/tokio/pull/7838 [#​7839]: https://redirect.github.com/tokio-rs/tokio/pull/7839 [#​7850]: https://redirect.github.com/tokio-rs/tokio/pull/7850 [#​7858]: https://redirect.github.com/tokio-rs/tokio/pull/7858 [#​7869]: https://redirect.github.com/tokio-rs/tokio/pull/7869 [#​7871]: https://redirect.github.com/tokio-rs/tokio/pull/7871 [#​7872]: https://redirect.github.com/tokio-rs/tokio/pull/7872 [#​7875]: https://redirect.github.com/tokio-rs/tokio/pull/7875 [#​7879]: https://redirect.github.com/tokio-rs/tokio/pull/7879 [#​7880]: https://redirect.github.com/tokio-rs/tokio/pull/7880 [#​7885]: https://redirect.github.com/tokio-rs/tokio/pull/7885 [#​7886]: https://redirect.github.com/tokio-rs/tokio/pull/7886 [#​7889]: https://redirect.github.com/tokio-rs/tokio/pull/7889 [#​7891]: https://redirect.github.com/tokio-rs/tokio/pull/7891 [#​7896]: https://redirect.github.com/tokio-rs/tokio/pull/7896 [#​7904]: https://redirect.github.com/tokio-rs/tokio/pull/7904 [#​7908]: https://redirect.github.com/tokio-rs/tokio/pull/7908 [#​7910]: https://redirect.github.com/tokio-rs/tokio/pull/7910 [#​7913]: https://redirect.github.com/tokio-rs/tokio/pull/7913 [#​7918]: https://redirect.github.com/tokio-rs/tokio/pull/7918 [#​7919]: https://redirect.github.com/tokio-rs/tokio/pull/7919 [#​7920]: https://redirect.github.com/tokio-rs/tokio/pull/7920 [#​7922]: https://redirect.github.com/tokio-rs/tokio/pull/7922 [#​7923]: https://redirect.github.com/tokio-rs/tokio/pull/7923 [#​7925]: https://redirect.github.com/tokio-rs/tokio/pull/7925 [#​7926]: https://redirect.github.com/tokio-rs/tokio/pull/7926 [#​7929]: https://redirect.github.com/tokio-rs/tokio/pull/7929 [#​7932]: https://redirect.github.com/tokio-rs/tokio/pull/7932 ### [`v1.49.0`](https://redirect.github.com/tokio-rs/tokio/releases/tag/tokio-1.49.0): Tokio v1.49.0 [Compare Source](https://redirect.github.com/tokio-rs/tokio/compare/tokio-1.48.0...tokio-1.49.0) ### 1.49.0 (January 3rd, 2026) ##### Added - net: add support for `TCLASS` option on IPv6 ([#​7781]) - runtime: stabilize `runtime::id::Id` ([#​7125]) - task: implement `Extend` for `JoinSet` ([#​7195]) - task: stabilize the `LocalSet::id()` ([#​7776]) ##### Changed - net: deprecate `{TcpStream,TcpSocket}::set_linger` ([#​7752]) ##### Fixed - macros: fix the hygiene issue of `join!` and `try_join!` ([#​7766]) - runtime: revert "replace manual vtable definitions with Wake" ([#​7699]) - sync: return `TryRecvError::Disconnected` from `Receiver::try_recv` after `Receiver::close` ([#​7686]) - task: remove unnecessary trait bounds on the `Debug` implementation ([#​7720]) ##### Unstable - fs: handle `EINTR` in `fs::write` for io-uring ([#​7786]) - fs: support io-uring with `tokio::fs::read` ([#​7696]) - runtime: disable io-uring on `EPERM` ([#​7724]) - time: add alternative timer for better multicore scalability ([#​7467]) ##### Documented - docs: fix a typos in `bounded.rs` and `park.rs` ([#​7817]) - io: add `SyncIoBridge` cross-references to `copy` and `copy_buf` ([#​7798]) - io: doc that `AsyncWrite` does not inherit from `std::io::Write` ([#​7705]) - metrics: clarify that `num_alive_tasks` is not strongly consistent ([#​7614]) - net: clarify the cancellation safety of the `TcpStream::peek` ([#​7305]) - net: clarify the drop behavior of `unix::OwnedWriteHalf` ([#​7742]) - net: clarify the platform-dependent backlog in `TcpSocket` docs ([#​7738]) - runtime: mention `LocalRuntime` in `new_current_thread` docs ([#​7820]) - sync: add missing period to `mpsc::Sender::try_send` docs ([#​7721]) - sync: clarify the cancellation safety of `oneshot::Receiver` ([#​7780]) - sync: improve the docs for the `errors` of mpsc ([#​7722]) - task: add example for `spawn_local` usage on local runtime ([#​7689]) [#​7125]: https://redirect.github.com/tokio-rs/tokio/pull/7125 [#​7195]: https://redirect.github.com/tokio-rs/tokio/pull/7195 [#​7305]: https://redirect.github.com/tokio-rs/tokio/pull/7305 [#​7467]: https://redirect.github.com/tokio-rs/tokio/pull/7467 [#​7614]: https://redirect.github.com/tokio-rs/tokio/pull/7614 [#​7686]: https://redirect.github.com/tokio-rs/tokio/pull/7686 [#​7689]: https://redirect.github.com/tokio-rs/tokio/pull/7689 [#​7696]: https://redirect.github.com/tokio-rs/tokio/pull/7696 [#​7699]: https://redirect.github.com/tokio-rs/tokio/pull/7699 [#​7705]: https://redirect.github.com/tokio-rs/tokio/pull/7705 [#​7720]: https://redirect.github.com/tokio-rs/tokio/pull/7720 [#​7721]: https://redirect.github.com/tokio-rs/tokio/pull/7721 [#​7722]: https://redirect.github.com/tokio-rs/tokio/pull/7722 [#​7724]: https://redirect.github.com/tokio-rs/tokio/pull/7724 [#​7738]: https://redirect.github.com/tokio-rs/tokio/pull/7738 [#​7742]: https://redirect.github.com/tokio-rs/tokio/pull/7742 [#​7752]: https://redirect.github.com/tokio-rs/tokio/pull/7752 [#​7766]: https://redirect.github.com/tokio-rs/tokio/pull/7766 [#​7776]: https://redirect.github.com/tokio-rs/tokio/pull/7776 [#​7780]: https://redirect.github.com/tokio-rs/tokio/pull/7780 [#​7781]: https://redirect.github.com/tokio-rs/tokio/pull/7781 [#​7786]: https://redirect.github.com/tokio-rs/tokio/pull/7786 [#​7798]: https://redirect.github.com/tokio-rs/tokio/pull/7798 [#​7817]: https://redirect.github.com/tokio-rs/tokio/pull/7817 [#​7820]: https://redirect.github.com/tokio-rs/tokio/pull/7820 </details> <details> <summary>servo/rust-url (url)</summary> ### [`v2.5.8`](https://redirect.github.com/servo/rust-url/compare/v2.5.7...v2.5.8) [Compare Source](https://redirect.github.com/servo/rust-url/compare/v2.5.7...v2.5.8) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Los_Angeles) - Branch creation - "after 4pm on friday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/sdwilsh/jellyfin-remote-proxy). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi43NC41IiwidXBkYXRlZEluVmVyIjoiNDMuMTk0LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
`serde_yml = "0.0.13"` was published as a deprecation shim that structurally removes the unsound surface flagged by RUSTSEC-2025-0068:
The crate remains deprecated and is not under active development — every public item carries `#[deprecated]` and the README leads with a deprecation banner — but the specific API path documented in this advisory (`serde_yml::ser::Serializer.emitter` segfault) no longer exists.
This PR:
Verification
Anyone can confirm the structural fix locally:
```sh
cargo add serde_yml@0.0.13
cargo tree -p serde_yml | grep libyml # → no output (libyml is gone)
```
The `Serializer` rustdoc shows the unit-struct shape with no fields.
Related