cargo-audit reports that yaml-rust is unmaintained

[stefano-garzarella]

We are using this crate in https://github.com/rust-vmm/vhost-device/tree/main/vhost-device-vsock
We run cargo-audit in our CI which now is reporting that a dependency of this crate is unmaintained:

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 615 security advisories (from /home/stefano/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (177 crate dependencies)
Crate:     yaml-rust
Version:   0.4.5
Warning:   unmaintained
Title:     yaml-rust is unmaintained.
Date:      2024-03-20
ID:        RUSTSEC-2024-0320
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0320
Dependency tree:
yaml-rust 0.4.5
└── config 0.14.0
    └── vhost-device-vsock 0.1.0

warning: 1 allowed warning found

[w3irdrobot]

more information here: rustsec/advisory-db#1921

[polarathene]

I have a PR open to switch to a different crate: #474

If anyone wants to pick up my work there that's appreciated, otherwise I plan to get my PRs for this project when I can spare the time. Presently I'm hoping for that to be in April/May but I keep getting tied up elsewhere 😩

[adamwalz]

serde-yaml used in #474 is also unmaintained 😓

[polarathene]

serde-yaml used in #474 is also unmaintained 😓

Oh I see it was archived with a final release just 2 days ago.

Perhaps it could be moved to the same rust org that config-rs is being relocated to for future maintenance? 🤷‍♂️

[0rzech]

RUSTSEC-2024-0320 suggests another crate:

Consider switching to the actively maintained yaml-rust2 fork of the original project:

• yaml-rust2
• yaml-rust2 @ crates.io

Yaml-rust2's author is also active in rustsec/advisory-db#1921 issue linked in #553 (comment) .

[stefano-garzarella]

@0rzech thanks for the quick fix!
@matthiasbeyer is there a release planned soon with this fix?

Thanks,
Stefano

[matthiasbeyer]

No, see #549 .