fix: avoid problematic serde release

It doesn't work with the downstream nix users of jrsonnet, and may cause security issues. Upstream issue: serde-rs/serde#2538
CertainLach · Aug 19, 2023 · be1ca0e · be1ca0e
1 parent 19baaf2
commit be1ca0e
Show file tree

Hide file tree

Showing 7 changed files with 10 additions and 5 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,6 +16,9 @@ jrsonnet-types = { path = "./crates/jrsonnet-types", version = "0.5.0-pre95" }
 
 jrsonnet-gcmodule = "0.3.6"
 
+# <= 1.0.171 due to serde-rs/serde#2538
+serde = { version = ">= 1.0.126, <= 1.0.171" }
+
 #[profile.test]
 #opt-level = 1
 

diff --git a/cmds/jrsonnet/Cargo.toml b/cmds/jrsonnet/Cargo.toml
@@ -42,3 +42,5 @@ mimallocator = { version = "0.1.3", optional = true }
 thiserror = "1.0"
 clap = { version = "4.1", features = ["derive"] }
 clap_complete = { version = "4.1" }
+serde_json = "1.0.104"
+serde = { workspace = true, features = ["derive"] }
diff --git a/crates/jrsonnet-evaluator/Cargo.toml b/crates/jrsonnet-evaluator/Cargo.toml
@@ -47,7 +47,7 @@ thiserror = "1.0"
 # Friendly errors
 strsim = { version = "0.10.0" }
 
-serde = "1.0"
+serde.workspace = true
 
 anyhow = { version = "1.0", optional = true }
 # Serialized stdlib

diff --git a/crates/jrsonnet-interner/Cargo.toml b/crates/jrsonnet-interner/Cargo.toml
@@ -19,7 +19,7 @@ serde = ["dep:serde"]
 [dependencies]
 jrsonnet-gcmodule.workspace = true
 
-serde = { version = "1.0", optional = true }
+serde = { workspace = true, optional = true }
 structdump = { version = "0.2.0", optional = true }
 
 rustc-hash = "1.1"

diff --git a/crates/jrsonnet-parser/Cargo.toml b/crates/jrsonnet-parser/Cargo.toml
@@ -35,5 +35,5 @@ static_assertions = "1.1"
 
 peg = "0.8.1"
 
-serde = { version = "1.0", features = ["derive", "rc"], optional = true }
+serde = { workspace = true, features = ["derive", "rc"], optional = true }
 structdump = { version = "0.2.0", features = ["derive"], optional = true }
diff --git a/crates/jrsonnet-stdlib/Cargo.toml b/crates/jrsonnet-stdlib/Cargo.toml
@@ -30,7 +30,7 @@ jrsonnet-gcmodule.workspace = true
 # Used for stdlib AST serialization
 bincode = { version = "1.3", optional = true }
 # Used both for stdlib AST serialization and std.parseJson/std.parseYaml
-serde = "1.0"
+serde.workspace = true
 
 # std.md5
 md5 = "0.7.0"

diff --git a/tests/Cargo.toml b/tests/Cargo.toml
@@ -8,4 +8,4 @@ publish = false
 jrsonnet-evaluator.workspace = true
 jrsonnet-gcmodule.workspace = true
 jrsonnet-stdlib.workspace = true
-serde = "1.0.142"
+serde.workspace = true