fix(deps): replace serde_yml with serde_yaml_ng (RUSTSEC-2025-0068)

lingcoder · lingcoder · commit b3d2bd6e7169 · 2026-04-15T00:24:33.000+08:00
serde_yml is unsound and unmaintained. Switch to serde_yaml_ng
(maintained fork) which has an API-compatible interface. Also clean up
stale advisory ignores in deny.toml.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -22,7 +22,7 @@ futures = "0.3"
 # ─── 序列化 ───
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-serde_yml = "0.0.12"
+serde_yaml_ng = "0.10"
 toml = "1.1.2"
 
 # ─── CLI ───
diff --git a/crates/memory/Cargo.toml b/crates/memory/Cargo.toml
@@ -15,7 +15,7 @@ mem-ranker = ["dep:crab-api", "dep:crab-core", "dep:tokio"]
 crab-common.workspace = true
 serde.workspace = true
 serde_json.workspace = true
-serde_yml.workspace = true
+serde_yaml_ng.workspace = true
 dunce.workspace = true
 # optional — only for mem-ranker feature
 crab-api = { workspace = true, optional = true }
diff --git a/crates/memory/src/types.rs b/crates/memory/src/types.rs
@@ -84,8 +84,8 @@ fn split_frontmatter(content: &str) -> Option<(&str, &str)> {
 /// (`name`, `description`, `type`) are missing.
 pub fn parse_frontmatter(content: &str) -> Option<MemoryMetadata> {
     let (yaml, _) = split_frontmatter(content)?;
-    // serde_yml may return Err for missing required fields — map to None.
-    serde_yml::from_str(yaml).ok()
+    // serde_yaml_ng may return Err for missing required fields — map to None.
+    serde_yaml_ng::from_str(yaml).ok()
 }
 
 /// Return the body text after the frontmatter delimiters.
@@ -101,7 +101,7 @@ pub fn extract_body(content: &str) -> &str {
 /// Render [`MemoryMetadata`] as a YAML frontmatter block (including `---`
 /// delimiters).
 pub fn format_frontmatter(metadata: &MemoryMetadata) -> String {
-    // Build YAML manually for deterministic ordering (serde_yml output order
+    // Build YAML manually for deterministic ordering (serde_yaml_ng output order
     // is not guaranteed).
     let mut out = String::from("---\n");
     let _ = writeln!(out, "name: {}", metadata.name);
diff --git a/deny.toml b/deny.toml
@@ -2,9 +2,6 @@
 ignore = [
     # Unmaintained crates — transitive deps, will address when alternatives mature
     { id = "RUSTSEC-2024-0320", reason = "yaml-rust unmaintained, transitive via syntect" },
-    { id = "RUSTSEC-2024-0384", reason = "transitive dep, no safe upgrade available yet" },
-    { id = "RUSTSEC-2024-0436", reason = "transitive dep, no safe upgrade available yet" },
-    { id = "RUSTSEC-2025-0134", reason = "transitive dep, no safe upgrade available yet" },
     { id = "RUSTSEC-2025-0141", reason = "transitive dep, no safe upgrade available yet" },
 ]
 

Original file line number	Diff line number	Diff line change
`@@ -2,9 +2,6 @@`
`2`	`2`	`ignore = [`
`3`	`3`	`# Unmaintained crates — transitive deps, will address when alternatives mature`
`4`	`4`	`{ id = "RUSTSEC-2024-0320", reason = "yaml-rust unmaintained, transitive via syntect" },`
`5`		`- { id = "RUSTSEC-2024-0384", reason = "transitive dep, no safe upgrade available yet" },`
`6`		`- { id = "RUSTSEC-2024-0436", reason = "transitive dep, no safe upgrade available yet" },`
`7`		`- { id = "RUSTSEC-2025-0134", reason = "transitive dep, no safe upgrade available yet" },`
`8`	`5`	`{ id = "RUSTSEC-2025-0141", reason = "transitive dep, no safe upgrade available yet" },`
`9`	`6`	`]`
`10`	`7`