From d36781f8931521f6c79d0db64f4003d19436b9fe Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 24 Apr 2026 05:57:39 +0000
Subject: [PATCH 1/2] chore(deps): replace serde_yml with serde_yaml_ng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

serde_yml v0.0.12 triggers RUSTSEC-2025-0068 (unsound,
unmaintained; project archived), which fails the Security
Analysis cargo-deny advisories check. No safe upgrade of
serde_yml is available, so switch to serde_yaml_ng — a
drop-in maintained fork — per the advisory's recommended
alternatives.
---
 Cargo.lock                         | 28 +++++++++++-----------------
 Cargo.toml                         |  2 +-
 crates/vite_workspace/Cargo.toml   |  2 +-
 crates/vite_workspace/src/error.rs |  4 ++--
 crates/vite_workspace/src/lib.rs   |  6 +++---
 5 files changed, 18 insertions(+), 24 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 387e4263..d700a277 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1770,16 +1770,6 @@ dependencies = [
  "escape8259",
 ]
 
-[[package]]
-name = "libyml"
-version = "0.0.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3302702afa434ffa30847a83305f0a69d6abd74293b6554c18ec85c7ef30c980"
-dependencies = [
- "anyhow",
- "version_check",
-]
-
 [[package]]
 name = "line-clipping"
 version = "0.3.5"
@@ -3081,18 +3071,16 @@ dependencies = [
 ]
 
 [[package]]
-name = "serde_yml"
-version = "0.0.12"
+name = "serde_yaml_ng"
+version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "59e2dd588bf1597a252c3b920e0143eb99b0f76e4e082f4c92ce34fbc9e71ddd"
+checksum = "7b4db627b98b36d4203a7b458cf3573730f2bb591b28871d916dfa9efabfd41f"
 dependencies = [
  "indexmap",
  "itoa",
- "libyml",
- "memchr",
  "ryu",
  "serde",
- "version_check",
+ "unsafe-libyaml",
 ]
 
 [[package]]
@@ -3818,6 +3806,12 @@ version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
 
+[[package]]
+name = "unsafe-libyaml"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
+
 [[package]]
 name = "utf8-chars"
 version = "3.0.6"
@@ -4102,7 +4096,7 @@ dependencies = [
  "rustc-hash",
  "serde",
  "serde_json",
- "serde_yml",
+ "serde_yaml_ng",
  "tempfile",
  "thiserror 2.0.18",
  "tracing",
diff --git a/Cargo.toml b/Cargo.toml
index 28e3e250..efba9c27 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -116,7 +116,7 @@ rustc-hash = "2.1.1"
 seccompiler = { git = "https://github.com/rust-vmm/seccompiler", rev = "08587106340b8e3cb361c7561411510039436857" }
 serde = "1.0.219"
 serde_json = "1.0.140"
-serde_yml = "0.0.12"
+serde_yaml_ng = "0.10.0"
 sha2 = "0.10.9"
 shared_memory = "0.12.4"
 shell-escape = "0.1.5"
diff --git a/crates/vite_workspace/Cargo.toml b/crates/vite_workspace/Cargo.toml
index b975f9fb..3f1acfed 100644
--- a/crates/vite_workspace/Cargo.toml
+++ b/crates/vite_workspace/Cargo.toml
@@ -14,7 +14,7 @@ rustc-hash = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 # use `preserve_order` feature to preserve the order of the fields in `package.json`
 serde_json = { workspace = true, features = ["preserve_order"] }
-serde_yml = { workspace = true }
+serde_yaml_ng = { workspace = true }
 thiserror = { workspace = true }
 tracing = { workspace = true }
 vec1 = { workspace = true, features = ["smallvec-v1"] }
diff --git a/crates/vite_workspace/src/error.rs b/crates/vite_workspace/src/error.rs
index fcbc6da9..14cf9d49 100644
--- a/crates/vite_workspace/src/error.rs
+++ b/crates/vite_workspace/src/error.rs
@@ -43,10 +43,10 @@ pub enum Error {
     },
 
     #[error("Failed to parse YAML file at {file_path:?}")]
-    SerdeYml {
+    SerdeYaml {
         file_path: Arc<AbsolutePath>,
         #[source]
-        serde_yml_error: serde_yml::Error,
+        serde_yaml_error: serde_yaml_ng::Error,
     },
 
     #[error(transparent)]
diff --git a/crates/vite_workspace/src/lib.rs b/crates/vite_workspace/src/lib.rs
index 84a894ef..1f1e7c3e 100644
--- a/crates/vite_workspace/src/lib.rs
+++ b/crates/vite_workspace/src/lib.rs
@@ -248,10 +248,10 @@ pub fn load_package_graph(
     let mut graph_builder = PackageGraphBuilder::default();
     let workspaces = match &workspace_root.workspace_file {
         WorkspaceFile::PnpmWorkspaceYaml(file_with_path) => {
-            let workspace: PnpmWorkspace = serde_yml::from_slice(file_with_path.content())
-                .map_err(|e| Error::SerdeYml {
+            let workspace: PnpmWorkspace = serde_yaml_ng::from_slice(file_with_path.content())
+                .map_err(|e| Error::SerdeYaml {
                     file_path: Arc::clone(file_with_path.path()),
-                    serde_yml_error: e,
+                    serde_yaml_error: e,
                 })?;
             workspace.packages
         }

From 7cb2178ef4150cda710d17316335606d0bf52e6c Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 24 Apr 2026 06:25:05 +0000
Subject: [PATCH 2/2] chore(deps): switch from serde_yaml_ng to serde_norway

serde_norway is more actively maintained (Dec 2024 vs May 2024
last release), dual-licensed MIT/Apache-2.0, and ships its own
unsafe-libyaml-norway fork so advisories against the C bindings
can be patched without waiting on upstream.
---
 Cargo.lock                         | 32 +++++++++++++++---------------
 Cargo.toml                         |  2 +-
 crates/vite_workspace/Cargo.toml   |  2 +-
 crates/vite_workspace/src/error.rs |  2 +-
 crates/vite_workspace/src/lib.rs   |  2 +-
 5 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index d700a277..1003a961 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3062,25 +3062,25 @@ dependencies = [
 ]
 
 [[package]]
-name = "serde_spanned"
-version = "1.0.4"
+name = "serde_norway"
+version = "0.9.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8bbf91e5a4d6315eee45e704372590b30e260ee83af6639d64557f51b067776"
+checksum = "e408f29489b5fd500fab51ff1484fc859bb655f32c671f307dcd733b72e8168c"
 dependencies = [
- "serde_core",
+ "indexmap",
+ "itoa",
+ "ryu",
+ "serde",
+ "unsafe-libyaml-norway",
 ]
 
 [[package]]
-name = "serde_yaml_ng"
-version = "0.10.0"
+name = "serde_spanned"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7b4db627b98b36d4203a7b458cf3573730f2bb591b28871d916dfa9efabfd41f"
+checksum = "f8bbf91e5a4d6315eee45e704372590b30e260ee83af6639d64557f51b067776"
 dependencies = [
- "indexmap",
- "itoa",
- "ryu",
- "serde",
- "unsafe-libyaml",
+ "serde_core",
 ]
 
 [[package]]
@@ -3807,10 +3807,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
 
 [[package]]
-name = "unsafe-libyaml"
-version = "0.2.11"
+name = "unsafe-libyaml-norway"
+version = "0.2.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
+checksum = "b39abd59bf32521c7f2301b52d05a6a2c975b6003521cbd0c6dc1582f0a22104"
 
 [[package]]
 name = "utf8-chars"
@@ -4096,7 +4096,7 @@ dependencies = [
  "rustc-hash",
  "serde",
  "serde_json",
- "serde_yaml_ng",
+ "serde_norway",
  "tempfile",
  "thiserror 2.0.18",
  "tracing",
diff --git a/Cargo.toml b/Cargo.toml
index efba9c27..835614d0 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -116,7 +116,7 @@ rustc-hash = "2.1.1"
 seccompiler = { git = "https://github.com/rust-vmm/seccompiler", rev = "08587106340b8e3cb361c7561411510039436857" }
 serde = "1.0.219"
 serde_json = "1.0.140"
-serde_yaml_ng = "0.10.0"
+serde_norway = "0.9.42"
 sha2 = "0.10.9"
 shared_memory = "0.12.4"
 shell-escape = "0.1.5"
diff --git a/crates/vite_workspace/Cargo.toml b/crates/vite_workspace/Cargo.toml
index 3f1acfed..6a0c4a94 100644
--- a/crates/vite_workspace/Cargo.toml
+++ b/crates/vite_workspace/Cargo.toml
@@ -14,7 +14,7 @@ rustc-hash = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 # use `preserve_order` feature to preserve the order of the fields in `package.json`
 serde_json = { workspace = true, features = ["preserve_order"] }
-serde_yaml_ng = { workspace = true }
+serde_norway = { workspace = true }
 thiserror = { workspace = true }
 tracing = { workspace = true }
 vec1 = { workspace = true, features = ["smallvec-v1"] }
diff --git a/crates/vite_workspace/src/error.rs b/crates/vite_workspace/src/error.rs
index 14cf9d49..36aee086 100644
--- a/crates/vite_workspace/src/error.rs
+++ b/crates/vite_workspace/src/error.rs
@@ -46,7 +46,7 @@ pub enum Error {
     SerdeYaml {
         file_path: Arc<AbsolutePath>,
         #[source]
-        serde_yaml_error: serde_yaml_ng::Error,
+        serde_yaml_error: serde_norway::Error,
     },
 
     #[error(transparent)]
diff --git a/crates/vite_workspace/src/lib.rs b/crates/vite_workspace/src/lib.rs
index 1f1e7c3e..ab145a3e 100644
--- a/crates/vite_workspace/src/lib.rs
+++ b/crates/vite_workspace/src/lib.rs
@@ -248,7 +248,7 @@ pub fn load_package_graph(
     let mut graph_builder = PackageGraphBuilder::default();
     let workspaces = match &workspace_root.workspace_file {
         WorkspaceFile::PnpmWorkspaceYaml(file_with_path) => {
-            let workspace: PnpmWorkspace = serde_yaml_ng::from_slice(file_with_path.content())
+            let workspace: PnpmWorkspace = serde_norway::from_slice(file_with_path.content())
                 .map_err(|e| Error::SerdeYaml {
                     file_path: Arc::clone(file_with_path.path()),
                     serde_yaml_error: e,