Skip to content

fix: Replace serde_yml with serde_yaml_ng to fix RUSTSEC-2025-0067/0068#11755

Merged
anthonyshew merged 1 commit intomainfrom
fix/replace-serde-yml
Feb 10, 2026
Merged

fix: Replace serde_yml with serde_yaml_ng to fix RUSTSEC-2025-0067/0068#11755
anthonyshew merged 1 commit intomainfrom
fix/replace-serde-yml

Conversation

@anthonyshew
Copy link
Copy Markdown
Contributor

@anthonyshew anthonyshew commented Feb 10, 2026

Summary

  • Replaces the serde_yml (0.0.12) dependency with serde_yaml_ng (0.10.0) across the workspace
  • Removes transitive dependency on libyml (0.0.5), which is flagged as unsound

Why

serde_yml and its transitive dependency libyml are flagged by two RustSec advisories:

  • RUSTSEC-2025-0067: serde_yml is unmaintained
  • RUSTSEC-2025-0068: libyml contains unsound code

serde_yaml_ng is the maintained fork (by the original serde_yaml author's community) and provides an API-compatible replacement. It uses unsafe-libyaml instead of the unsound libyml.

What changed

Workspace Cargo.toml and four crate Cargo.toml files (turborepo-shim, turborepo-repository, turborepo-lockfiles, turborepo-lib) updated to depend on serde_yaml_ng instead of serde_yml. Seven Rust source files updated to use serde_yaml_ng:: paths. The API surface (from_str, from_slice, from_reader, to_string, Value, Error) is identical.

Testing

  • cargo check passes for all four affected crates
  • cargo test -p turborepo-lockfiles — all 303 tests pass
  • cargo audit confirms RUSTSEC-2025-0067 and RUSTSEC-2025-0068 are resolved

Resolves TURBO-5263

@anthonyshew anthonyshew requested a review from a team as a code owner February 10, 2026 03:50
@anthonyshew anthonyshew requested review from tknickman and removed request for a team February 10, 2026 03:50
@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented Feb 10, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
examples-basic-web Ready Ready Preview, Comment, Open in v0 Feb 10, 2026 3:51am
examples-designsystem-docs Ready Ready Preview, Comment, Open in v0 Feb 10, 2026 3:51am
examples-gatsby-web Ready Ready Preview, Comment, Open in v0 Feb 10, 2026 3:51am
examples-kitchensink-blog Ready Ready Preview, Comment, Open in v0 Feb 10, 2026 3:51am
examples-nonmonorepo Ready Ready Preview, Comment, Open in v0 Feb 10, 2026 3:51am
examples-svelte-web Ready Ready Preview, Comment, Open in v0 Feb 10, 2026 3:51am
examples-tailwind-web Ready Ready Preview, Comment, Open in v0 Feb 10, 2026 3:51am
examples-vite-web Ready Ready Preview, Comment, Open in v0 Feb 10, 2026 3:51am
turbo-site Ready Ready Preview, Comment, Open in v0 Feb 10, 2026 3:51am
turborepo-test-coverage Ready Ready Preview, Comment, Open in v0 Feb 10, 2026 3:51am

@codspeed-hq
Copy link
Copy Markdown

codspeed-hq Bot commented Feb 10, 2026

Congrats! CodSpeed is installed 🎉

🆕 4 new benchmarks were detected.

You will start to see performance impacts in the reports once the benchmarks are run from your default branch.

Detected benchmarks
Open in CodSpeed

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 10, 2026

Coverage Report

Metric Coverage
Lines 76.02%
Functions 46.85%
Branches 0.00%

View full report

@anthonyshew anthonyshew enabled auto-merge (squash) February 10, 2026 04:01
@anthonyshew anthonyshew merged commit 15f1da2 into main Feb 10, 2026
102 checks passed
@anthonyshew anthonyshew deleted the fix/replace-serde-yml branch February 10, 2026 04:03
@github-actions github-actions Bot mentioned this pull request Feb 10, 2026
Merged
github-actions Bot added a commit that referenced this pull request Feb 10, 2026
@github-actions @turbobot-temp
release(turborepo): 2.8.3-canary.15 (#11757)
e78c17c 
## Release v2.8.3-canary.15

Versioned docs: https://v2-8-3-canary-15.turborepo.dev

### Changes

- fix: Replace `oxc_resolver` with `unrs_resolver` to fix yanked
`papaya` dependency (#11754) (`1db1450522`)
- fix: Replace `serde_yml` with `serde_yaml_ng` to fix
RUSTSEC-2025-0067/0068 (#11755) (`15f1da2dbf`)
- chore: Remove Dependabot configuration (#11753) (`c5ab6db43c`)
- chore: Switch canary releases from push-to-main to hourly cron
(#11745) (`2656caf4cf`)
- release(turborepo): 2.8.3-canary.14 (#11742) (`e222027088`)

Co-authored-by: Turbobot <turbobot@vercel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tknickman tknickman Awaiting requested review from tknickman tknickman is a code owner automatically assigned from vercel/turbo-oss

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anthonyshew