fix: avoid problematic serde release
serde 1.0.172 and up rely on opaque non-reproducible binary blobs to function, explicitly not providing a library-level opt-out. This is problematic for two reasons: - directly, unauditable binary blobs are a security issue. - indirectly, it becomes much harder to predict future behaviors of the crate. As such, I am willing to go on a limb here and forbid building rust-analyzer with those versions of serde. Normally, my philosophy is to defer the choice to the end user, but it's also a design constraint of rust-analyzer that we don't run random binaries downloaded from the internet without explicit user's concent. Concretely, this upper-bounds serde for both rust-analyzer workspace, as well as the lsp-server lib. See https://github.com/serde-rs/serde/issues/2538 for wider context.
This commit is contained in:
parent
721e0e3512
commit
6c46b98a95
10
Cargo.lock
generated
10
Cargo.lock
generated
@ -1000,22 +1000,22 @@ checksum = "b06a4cde4c0f271a446782e3eff8de789548ce57dbc8eca9292c27f4a42004b4"
|
||||
[[package]]
|
||||
name = "lsp-server"
|
||||
version = "0.7.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "37ea9ae5a5082ca3b6ae824fc7666cd206b99168a4d4c769ad8fe9cc740df6a6"
|
||||
dependencies = [
|
||||
"crossbeam-channel",
|
||||
"log",
|
||||
"lsp-types",
|
||||
"serde",
|
||||
"serde_json",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "lsp-server"
|
||||
version = "0.7.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "37ea9ae5a5082ca3b6ae824fc7666cd206b99168a4d4c769ad8fe9cc740df6a6"
|
||||
version = "0.7.3"
|
||||
dependencies = [
|
||||
"crossbeam-channel",
|
||||
"log",
|
||||
"lsp-types",
|
||||
"serde",
|
||||
"serde_json",
|
||||
]
|
||||
@ -1555,7 +1555,7 @@ dependencies = [
|
||||
"ide-ssr",
|
||||
"itertools",
|
||||
"load-cargo",
|
||||
"lsp-server 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"lsp-server 0.7.2",
|
||||
"lsp-types",
|
||||
"mbe",
|
||||
"mimalloc",
|
||||
|
@ -97,7 +97,8 @@ smallvec = { version = "1.10.0", features = [
|
||||
smol_str = "0.2.0"
|
||||
nohash-hasher = "0.2.0"
|
||||
text-size = "1.1.0"
|
||||
serde = { version = "1.0.156", features = ["derive"] }
|
||||
# See https://github.com/serde-rs/serde/issues/2538#issuecomment-1684517372 for why we pin serde
|
||||
serde = { version = "1.0.156, < 1.0.172", features = ["derive"] }
|
||||
serde_json = "1.0.96"
|
||||
triomphe = { version = "0.1.8", default-features = false, features = ["std"] }
|
||||
# can't upgrade due to dashmap depending on 0.12.3 currently
|
||||
|
@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "lsp-server"
|
||||
version = "0.7.2"
|
||||
version = "0.7.3"
|
||||
description = "Generic LSP server scaffold."
|
||||
license = "MIT OR Apache-2.0"
|
||||
repository = "https://github.com/rust-lang/rust-analyzer/tree/master/lib/lsp-server"
|
||||
@ -9,7 +9,8 @@ edition = "2021"
|
||||
[dependencies]
|
||||
log = "0.4.17"
|
||||
serde_json = "1.0.96"
|
||||
serde = { version = "1.0.156", features = ["derive"] }
|
||||
# See https://github.com/serde-rs/serde/issues/2538#issuecomment-1684517372 for why we pin serde
|
||||
serde = { version = "1.0.156, < 1.0.172", features = ["derive"] }
|
||||
crossbeam-channel = "0.5.6"
|
||||
|
||||
[dev-dependencies]
|
||||
|
Loading…
Reference in New Issue
Block a user