[advisory]
# Identifier for the advisory (mandatory). Will be assigned a "RUSTSEC-YYYY-NNNN"
# identifier e.g. RUSTSEC-2018-0001. Please use "RUSTSEC-0000-0000" in PRs.
id = "RUSTSEC-0000-0000"
# Name of the affected crate (mandatory)
package = "serde_yaml"
# Disclosure date of the advisory as an RFC 3339 date (mandatory)
date = "2024-07-21"
# URL to a long-form description of this issue, e.g. a GitHub issue/PR,
# a change log entry, or a blogpost announcing the release (optional, except
# for advisories using a license that requires attribution).
url = "https://github.com/dtolnay/serde-yaml/blob/master/README.md"
# Optional: Indicates the type of informational security advisory
# - "unsound" for soundness issues
# - "unmaintained" for crates that are no longer maintained
# - "notice" for other informational notices
informational = "unmaintained"
# Freeform keywords which describe this vulnerability, similar to Cargo (optional)
keywords = ["yaml", "serde", "serialization"]
# Versions which include fixes for this vulnerability (mandatory)
# All selectors supported by Cargo are supported here:
# https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html
# use patched = [] e.g. in case of unmaintained where there is no fix
[versions]
patched = []The creator of serde_yaml has stated in the readme of their repo that the lib is no longer maintained, and also marked versoin 0.9.34 as deprecated.
The repo is archived and an issue can not be opened to confirm the authors desire to push an advisory.