Skip to content

File bincode as unmaintained #2515

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
EthanPlant wants to merge 2 commits into
base: main
Choose a base branch
from
Open

File bincode as unmaintained #2515

EthanPlant wants to merge 2 commits into from

Conversation

@EthanPlant
Copy link

@EthanPlant EthanPlant commented Dec 17, 2025

Resolves #2514

As per the issue comments, the maintainer has agreed with filing an advisory.

nmccarty
nmccarty reviewed Dec 17, 2025
View reviewed changes
Copy link
Contributor

@nmccarty nmccarty left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, previous emergency keyholder for the bincode-org organization here (to clarify my role in the org, it was basically just to revoke the owners access in the event of compromise, which to restate, is not what happened here)

The 'updates will only happen in the event of a CVE' part should be dropped. Given the impact on trust from this situation, the owner has made the decision to permanently archive the bincode crate. The other crates.io owners have been removed from the crates.io entry, and she has deleted her github account to ensure that no further releases can be made, and to force trust to be boostrapped fresh when and if someone decides to pick maintenance back up.

@VictorKoenders
Copy link

VictorKoenders commented Dec 17, 2025

Hi, previous developer for bincode here. To protect the supply chain that people seem to be more worried about than fellow humans, I have also decided to close virtue and unty, the two dependencies that bincode 2.0 depends on.

The remaining dependencies are:

  • Bincode 1.3.3
    • serde
    • serde_bytes (dev)
    • serde_derive (dev)
  • bincode 2.0
    • serde (optional)
    • ouroboros (dev)
    • serde_derive (dev)
    • serde_json (dev)
    • tempfile (dev)
    • criterion (dev)
    • rand (dev)
    • uuid (dev)
    • chrono (dev)
    • glam (dev)
    • bumpalo (dev)

@djc
Copy link
Contributor

djc commented Dec 17, 2025

@VictorKoenders want to send a PR for those?

@VictorKoenders
Copy link

VictorKoenders commented Dec 17, 2025

@VictorKoenders want to send a PR for those?

Considering my previous interaction with this repo in #1254 (comment) , no I do not want to send in a PR

djc
djc reviewed Dec 17, 2025
View reviewed changes
crates/bincode/RUSTSEC-0000-0000.md
Comment on lines +11 to +21
```
# Bincode is unmaintained

Development on bincode has ceased permanently, and updates will only be made in the event of a CVE. Projects are encouraged to migrate to alternatives such as `postcard` if possible. If compatibilty with the bincode format is required, consider using `wincode`.

## Alternatives

- [wincode](https://crates.io/crates/wincode) - Bincode-compatible alternative
- [postcard](https://crates.io/crates/postcard)
- [rkyv](https://crates.io/crates/rkyv)
- [bitcode](https://crates.io/crates/bitcode) No newline at end of file
Copy link
Contributor

@djc djc Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
```
# Bincode is unmaintained
Development on bincode has ceased permanently, and updates will only be made in the event of a CVE. Projects are encouraged to migrate to alternatives such as `postcard` if possible. If compatibilty with the bincode format is required, consider using `wincode`.
## Alternatives
- [wincode](https://crates.io/crates/wincode) - Bincode-compatible alternative
- [postcard](https://crates.io/crates/postcard)
- [rkyv](https://crates.io/crates/rkyv)
- [bitcode](https://crates.io/crates/bitcode)

Bincode is unmaintained

Due to a doxxing and harassment incident, the bincode team has taken the decision to cease
development permanently.

The team considers version 1.3.3 a complete version of bincode that is not in need of any updates.

Alternatives to consider

@smoelius smoelius mentioned this pull request Dec 23, 2025
Open
@nmccarty
Copy link
Contributor

nmccarty commented Jan 7, 2026

@djc Sorry to be a bother, but is there anyway we could go ahead and get some movement on merging this? Getting a bit tired of still having the cargo-deny nuclear bomb still hanging over our heads.

@djc
Copy link
Contributor

djc commented Jan 7, 2026

@djc Sorry to be a bother, but is there anyway we could go ahead and get some movement on merging this? Getting a bit tired of still having the cargo-deny nuclear bomb still hanging over our heads.

No bother at all, I agree. Want to take what's here and copy it into a new PR, with suggestions addressed?

@nmccarty nmccarty mentioned this pull request Jan 7, 2026
Merged
@nmccarty
Copy link
Contributor

nmccarty commented Jan 7, 2026

@djc Sorry to be a bother, but is there anyway we could go ahead and get some movement on merging this? Getting a bit tired of still having the cargo-deny nuclear bomb still hanging over our heads.

No bother at all, I agree. Want to take what's here and copy it into a new PR, with suggestions addressed?

Sure, I've gone ahead and opened up #2574

@xu-cheng xu-cheng mentioned this pull request Jan 8, 2026
Closed
@Skgland Skgland mentioned this pull request Jan 9, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djc djc djc left review comments

+1 more reviewer

@nmccarty nmccarty nmccarty left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bincode is unmaintained

4 participants

@EthanPlant @VictorKoenders @djc @nmccarty