Deps.rs

serde_yaml 0.8.9

[![dependency status](https://deps.rs/crate/serde_yaml/0.8.9/status.svg)](https://deps.rs/crate/serde_yaml/0.8.9)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate serde_yaml

Dependencies

(4 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 dtoa^0.41.0.9out of date
 linked-hash-map^0.50.5.6up to date
 serde^1.0.601.0.198up to date
 yaml-rust ⚠️^0.40.4.5maybe insecure

Dev dependencies

(3 total, 2 outdated)

CrateRequiredLatestStatus
 serde_derive^1.01.0.198up to date
 unindent^0.10.2.3out of date
 version-sync^0.50.9.5out of date

Security Vulnerabilities

yaml-rust: Uncontrolled recursion leads to abort in deserialization

RUSTSEC-2018-0006

Affected versions of this crate did not prevent deep recursion while deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

Note: clap 2.33 is not affected by this because it uses yaml-rust in a way that doesn't trigger the vulnerability. More specifically:

  1. The input to the YAML parser is always trusted - is included at compile time via include_str!.

  2. The nesting level is never deep enough to trigger the overflow in practice (at most 5).