Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Describe your changes
As discussed in linked issue
yaml-rust
is not maintened and poses a risk as future vulnerabilities or bugs in yaml-rust will not be addressed. Also it makes noise if you runcargo-audit
. As advised in RUSTSEC-2024-0320yaml-rust2
is a fully compliant YAML 1.2 implementation written in rust and works faster than its predecessoryaml-rust
and fully compatible with it.crates/app
is the affected crate and it fetchesyaml-rust
fromconfig
crate.I've udpated
config
crate to the latest version and fixed compilation errors and warnings.The reason why I'm using commit version instead of release tag for
config
crate is that it's owner is looking for new maintainer and not releasing new tags until than. Butyaml-rust2
issue was tested and merged to main branch from this pr so it should be safe to use.Indicate on which release or other PRs this topic is based on
rust-cli/config-rs#553
#2993
Checklist before merging to
draft