serde_yaml is unmaintained

[jayvdb]

https://crates.io/crates/serde_yaml latest version is "v0.9.34+deprecated" - uploaded March 2024

Repo https://github.com/dtolnay/serde-yaml was also archived.

Forks:

• https://github.com/sebastienrousseau/serde_yml/commits/master/ - 110 commits - uses https://crates.io/crates/libyml instead of also unmaintained unsafe-libyaml (see Concerns with serde_yml #2212)
• https://crates.io/crates/serde_yaml_ng - ~30 commits / quite active at https://github.com/acatton/serde-yaml-ng/commits/master/
• https://crates.io/crates/serde_norway - ~30 commits / quite active at https://github.com/cafkafk/serde-norway , however states that they are not committed to maintaining long term
• https://crates.io/crates/serde_yaml_ok - one enhancement at https://github.com/mkovaxx/serde-yaml-ok/commits/main/
• https://github.com/chhe/serde-yaml - branches of 0.8 instead of 0.9 - @chhe , what was the reason for doing this?

Alternatives:

• https://crates.io/crates/serde_yaml2 , project started in April 2024 - https://github.com/zim32/serde_yaml2/commits/main/ ; uses https://github.com/Ethiraric/yaml-rust2 instead of libyaml - Incompatibilities being collated at Compatibility with serde_yaml zim32/serde_yaml2#2
• https://github.com/KmolYuan/yaml-peg-rs - no yaml dependency used
• https://github.com/qiuchengxuan/serde-yaml-core - not on crates.io - "serde-yaml for no_std programs"
• https://github.com/s1s5/serde-yaml - another attempt at using yaml-rust2
• https://github.com/g-plane/pretty_yaml - no yaml dependency used

[cafkafk]

https://crates.io/crates/serde_norway - ~30 commits / quite active at https://github.com/cafkafk/serde-norway , however states that they are not committed to maintaining long term

Regarding this, I've decided to actually commit to maintaining it, since it has made it's way into too many projects I care about.

[evilpie]

See also #2212

[jayvdb]

https://x.com/davidtolnay/status/1884351128332296594

Anything with a legacy from libyaml should be regarded as defective. It is no longer developed and there is a high severity security vulnerability that the maintainers have kept private for 10 months.

Sounds like an advisory should be done, especially for unsafe-libyaml. Probably also forks. @cafkafk ;-(

[cafkafk]

To be fair, I know of a few other c libs that have embargoed vulns with worse lifetimes than that, that haven't been fixed yet to my knowledge, so I wouldn't put that against libyaml (the kernel will have vulns with lifetimes like this that are embargoed for years IIRC), but the being unmaintained part is a bigger problem.