chore(deps): update rust crate serde_with to 3.21.0 [security] #16

Open
renovate wants to merge 1 commit from renovate/crate-serde_with-vulnerability into main
Member

This PR contains the following updates:

Package Type Update Change
serde_with dependencies minor 3.7.03.21.0

serde_with: KeyValueMap serialization panics on empty sequence or map entries

GHSA-7gcf-g7xr-8hxj

More information

Details

Summary

The public KeyValueMap serializer assumes that each mapped element has at least one field or item to use as the map key, but it subtracts 1 from the caller-visible length before validating that assumption. An application that serializes attacker-controlled data through #[serde_as(as = "KeyValueMap<_>")] can be crashed by an empty inner sequence or map entry.

Details

The affected public surface includes:

  • Serialization of #[serde_as(as = "KeyValueMap<_>")] values through serde_json::to_string or any other Serde serializer`
  • Public KeyValueMap conversions for sequence and map-backed entries`

The root cause is: The KeyValueMap serializer preallocating Vec::with_capacity(len - 1) or Vec::with_capacity(len.unwrap_or(17) - 1) before checking that the element actually contains the required first key field or item.

The vulnerable data/control flow is: attacker-controlled empty entry -> serde_json::to_string -> KeyValueMap<TAs>::serialize_as -> SeqAsMapSerializer::{serialize_seq,serialize_map} -> Vec::with_capacity(len - 1) or Vec::with_capacity(len.unwrap_or(17) - 1) -> panic

Relevant source locations:

  • serde_with/src/key_value_map.rs:590
  • serde_with/src/key_value_map.rs:599
  • serde_with/src/key_value_map.rs:613
  • serde_with/src/key_value_map.rs:632
  • serde_with/src/key_value_map.rs:648
PoC
/*
[dependencies]
serde = {version = "*", features = ["derive"]}
serde_with = "*"
serde_json = "*"
*/

use serde::Serialize;
use serde_with::{serde_as, KeyValueMap};

#[derive(Serialize)]

#[serde(transparent)]
struct Seq(Vec<String>);

#[serde_as]

#[derive(Serialize)]
#[serde(transparent)]
struct KVMap {
    #[serde_as(as = "KeyValueMap<_>")]
    foo: Vec<Seq>,
}

fn main() {
    let value = KVMap {
        foo: vec![Seq(Vec::new())],
    };
    let _ = serde_json::to_string(&value).unwrap();
}
Impact

A local attacker who can trigger serialization of attacker-controlled data through KeyValueMap can terminate the process, causing a denial of service.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

jonasbb/serde_with (serde_with)

v3.21.0: serde_with v3.21.0

Compare Source

Security
  • GHSA-7gcf-g7xr-8hxj: KeyValueMap serialization panics on empty sequence or map entries
    Bad or attacker controlled values could cause a panic while allocating too large values.
    Fixed in #​966 by setting a maximum allocation size during the creation of collections like Vec or sets.

    Thanks to @​7thParkk for reporting the issue.

Added
  • Add NoneAsZero adapter that maps Option<NonZero*> to a plain integer, encoding None as 0 by @​SAY-5 (#​486)
Changed
  • Re-enable link-to-definition on docs.rs (#​964)
Fixed
  • Fix some doc links to point to the correct types (#​963)
  • Re-enable unused_qualifications and fix the resulting findings by @​lms0806 (#​962)

v3.20.0: serde_with v3.20.0

Compare Source

Added
Fixed

v3.19.0: serde_with v3.19.0

Compare Source

Added
  • Add support for hashbrown v0.17 (#​940)

    This extends the existing support for hashbrown to the newly released version.

v3.18.0: serde_with v3.18.0

Compare Source

Added
  • Support OneOrMany with more sequence and set types (#​929)
Changed
  • Bump MSRV to 1.88 due to the darling dependency

v3.17.0: serde_with v3.17.0

Compare Source

Added
Changed
  • Switch to yaml_serde for a maintained yaml dependency by @​kazan417 (#​921)
  • Bump MSRV to 1.82, since that is required for yaml_serde dev-dependency.

v3.16.1: serde_with v3.16.1

Compare Source

Fixed
  • Fix JsonSchemaAs of SetPreventDuplicates and SetLastValueWins. (#​906, #​907)

v3.16.0: serde_with v3.16.0

Compare Source

Added

v3.15.1: serde_with v3.15.1

Compare Source

Fixed
  • Fix building of the documentation by updating references to use serde_core.

v3.15.0: serde_with v3.15.0

Compare Source

Added
  • Added error inspection to VecSkipError and MapSkipError by @​michelhe (#​878)
    This allows interacting with the previously hidden error, for example for logging.
    Checkout the newly added example to both types.

  • Allow documenting the types generated by serde_conv!.
    The serde_conv! macro now acceps outer attributes before the optional visibility modifier.
    This allow adding doc comments in the shape of #[doc = "..."] or any other attributes, such as lint modifiers.

    serde_conv!(
        #[doc = "Serialize bools as string"]
        #[allow(dead_code)]
        pub BoolAsString,
        bool,
        |x: &bool| ::std::string::ToString::to_string(x),
        |x: ::std::string::String| x.parse()
    );
    
  • Add support for hashbrown v0.16 (#​877)

    This extends the existing support for hashbrown v0.14 and v0.15 to the newly released version.

Changed
  • Bump MSRV to 1.76, since that is required for toml dev-dependency.

v3.14.1: serde_with v3.14.1

Compare Source

Fixed
  • Show macro expansion in the docs.rs generated rustdoc.
    Since macros are used to generate trait implementations, this is useful to understand the exact generated code.

v3.14.0: serde_with v3.14.0

Compare Source

Added
  • Add support for Range, RangeFrom, RangeTo, RangeInclusive (#​851)
    RangeToInclusive is currently unsupported by serde.
  • Add schemars implementations for Bound, Range, RangeFrom, RangeTo, RangeInclusive.
  • Added support for schemars v1 under the schemars_1 feature flag

v3.13.0: serde_with v3.13.0

Compare Source

Added
  • Added support for schemars v0.9.0 under the schemars_0_9 feature flag by @​swlynch99 (#​849)
  • Introduce SerializeDisplayAlt derive macro (#​833)
    An alternative to the SerializeDisplay macro except instead of using the
    plain formatting like format!("{}", ...), it serializes with the
    Formatter::alternate flag set to true, like format!("{:#}", ...)
Changed
  • Generalize serde_with::rust::unwrap_or_skip to support deserializing references by @​beroal (#​832)
  • Bump MSRV to 1.71, since that is required for the jsonschema dev-dependency.
  • Make serde_conv available without the std feature by @​arilou (#​839)
  • Bump MSRV to 1.74, since that is required for schemars v0.9.0 by @​swlynch99 (#​849)
Fixed
  • Make the DurationSeconds types and other variants more accessible even without std (#​845)

v3.12.0: serde_with v3.12.0

Compare Source

Added
Changed
Fixed

v3.11.0: serde_with v3.11.0

Compare Source

Added
  • Add support for hashbrown v0.15 (#​787/#​790)

    This extends the existing support for hashbrown v0.14 to the newly released version.

v3.10.0: serde_with v3.10.0

Compare Source

Added
  • Add newline separator by @​jayvdb (#​777)

    The UnixLineSeparator and DosLineSeparator can be used together with StringWithSeparator.

Fixed
  • Proper handling of cfg_attr in the serde_as macro by @​sivizius (#​782)

    This allows to parse more valid forms of the cfg_attr macro, including multiple values and attribute that do not follow the key = value schema.

v3.9.0: serde_with v3.9.0

Compare Source

Added
  • Deserialize a map` and skip all elements failing to deserialize by @​johnmave126 (#​763)

    MapSkipError acts like a map (HashMap/BTreeMap), but keys or values that fail to deserialize, like are ignored.

    For formats with heterogeneously typed maps, we can collect only the elements where both key and value are deserializable.
    This is also useful in conjunction to #[serde(flatten)] to ignore some entries when capturing additional fields.

    // JSON
    "value": {"0": "v0", "5": "v5", "str": "str", "10": 2},
    
    // Rust
    #[serde_as(as = "MapSkipError<DisplayFromStr, _>")]
    value: BTreeMap<u32, String>,
    
    // Only deserializes entries with a numerical key and a string value, i.e.,
    {0 => "v0", 5 => "v5"}
    

v3.8.3: serde_with v3.8.3

Compare Source

Fixed
  • Fix compile issues when dependency schemars_0_8 is used with the preserve_order features (#​762)

v3.8.2: serde_with v3.8.2

Compare Source

Changed
  • Bump MSRV to 1.67, since that is required for the time dependency.
    The time version needed to be updated for nightly compatibility.
Fixed

v3.8.1: serde_with v3.8.1

Compare Source

Fixed
  • Do not emit schemars(deserialize_with = "...") annotations, as schemars does not support them (#​735)
    Thanks to @​sivizius for reporting the issue.

v3.8.0: serde_with v3.8.0

Compare Source

Added
Changed
  • Bump base64 dependency to v0.22 (#​724)
  • Update dev dependencies
Fixed
  • serde_conv regressed and triggered clippy::ptr_arg and add test to prevent future problems. (#​731)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [serde_with](https://github.com/jonasbb/serde_with) | dependencies | minor | `3.7.0` → `3.21.0` | --- ### serde_with: KeyValueMap serialization panics on empty sequence or map entries [GHSA-7gcf-g7xr-8hxj](https://github.com/advisories/GHSA-7gcf-g7xr-8hxj) <details> <summary>More information</summary> #### Details ##### Summary The public `KeyValueMap` serializer assumes that each mapped element has at least one field or item to use as the map key, but it subtracts `1` from the caller-visible length before validating that assumption. An application that serializes attacker-controlled data through `#[serde_as(as = "KeyValueMap<_>")]` can be crashed by an empty inner sequence or map entry. ##### Details The affected public surface includes: - Serialization of `#[serde_as(as = "KeyValueMap<_>")]` values through `serde_json::to_string` or any other Serde serializer` - Public `KeyValueMap` conversions for sequence and map-backed entries` The root cause is: The `KeyValueMap` serializer preallocating `Vec::with_capacity(len - 1)` or `Vec::with_capacity(len.unwrap_or(17) - 1)` before checking that the element actually contains the required first key field or item. The vulnerable data/control flow is: attacker-controlled empty entry -> `serde_json::to_string` -> `KeyValueMap<TAs>::serialize_as` -> `SeqAsMapSerializer::{serialize_seq,serialize_map}` -> `Vec::with_capacity(len - 1)` or `Vec::with_capacity(len.unwrap_or(17) - 1)` -> panic Relevant source locations: - `serde_with/src/key_value_map.rs:590` - `serde_with/src/key_value_map.rs:599` - `serde_with/src/key_value_map.rs:613` - `serde_with/src/key_value_map.rs:632` - `serde_with/src/key_value_map.rs:648` ##### PoC ```rust /* [dependencies] serde = {version = "*", features = ["derive"]} serde_with = "*" serde_json = "*" */ use serde::Serialize; use serde_with::{serde_as, KeyValueMap}; #[derive(Serialize)] #[serde(transparent)] struct Seq(Vec<String>); #[serde_as] #[derive(Serialize)] #[serde(transparent)] struct KVMap { #[serde_as(as = "KeyValueMap<_>")] foo: Vec<Seq>, } fn main() { let value = KVMap { foo: vec![Seq(Vec::new())], }; let _ = serde_json::to_string(&value).unwrap(); } ``` ##### Impact A local attacker who can trigger serialization of attacker-controlled data through `KeyValueMap` can terminate the process, causing a denial of service. #### Severity - CVSS Score: 5.1 / 10 (Medium) - Vector String: `CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N` #### References - [https://github.com/jonasbb/serde_with/security/advisories/GHSA-7gcf-g7xr-8hxj](https://github.com/jonasbb/serde_with/security/advisories/GHSA-7gcf-g7xr-8hxj) - [https://github.com/jonasbb/serde_with/pull/966](https://github.com/jonasbb/serde_with/pull/966) - [https://github.com/jonasbb/serde_with/commit/c8a1d820ea25df01692b367058d587343e199389](https://github.com/jonasbb/serde_with/commit/c8a1d820ea25df01692b367058d587343e199389) - [https://github.com/jonasbb/serde_with](https://github.com/jonasbb/serde_with) - [https://github.com/jonasbb/serde_with/releases/tag/v3.21.0](https://github.com/jonasbb/serde_with/releases/tag/v3.21.0) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-7gcf-g7xr-8hxj) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>jonasbb/serde_with (serde_with)</summary> ### [`v3.21.0`](https://github.com/jonasbb/serde_with/releases/tag/v3.21.0): serde_with v3.21.0 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.20.0...v3.21.0) ##### Security - [GHSA-7gcf-g7xr-8hxj](https://github.com/jonasbb/serde_with/security/advisories/GHSA-7gcf-g7xr-8hxj): KeyValueMap serialization panics on empty sequence or map entries Bad or attacker controlled values could cause a panic while allocating too large values. Fixed in [#&#8203;966](https://github.com/jonasbb/serde_with/issues/966) by setting a maximum allocation size during the creation of collections like `Vec` or sets. Thanks to [@&#8203;7thParkk](https://github.com/7thParkk) for reporting the issue. ##### Added - Add `NoneAsZero` adapter that maps `Option<NonZero*>` to a plain integer, encoding `None` as `0` by [@&#8203;SAY-5](https://github.com/SAY-5) ([#&#8203;486](https://github.com/jonasbb/serde_with/issues/486)) ##### Changed - Re-enable link-to-definition on docs.rs ([#&#8203;964](https://github.com/jonasbb/serde_with/issues/964)) ##### Fixed - Fix some doc links to point to the correct types ([#&#8203;963](https://github.com/jonasbb/serde_with/issues/963)) - Re-enable `unused_qualifications` and fix the resulting findings by [@&#8203;lms0806](https://github.com/lms0806) ([#&#8203;962](https://github.com/jonasbb/serde_with/issues/962)) ### [`v3.20.0`](https://github.com/jonasbb/serde_with/releases/tag/v3.20.0): serde_with v3.20.0 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.19.0...v3.20.0) ##### Added - Add support for `base58` encoding, similar to the existing `base64` setup by [@&#8203;mitinarseny](https://github.com/mitinarseny) ([#&#8203;943](https://github.com/jonasbb/serde_with/issues/943)) ##### Fixed - Extend `base64` with `schemars` support by [@&#8203;mitinarseny](https://github.com/mitinarseny) ([#&#8203;9949](https://github.com/jonasbb/serde_with/issues/9949)) ### [`v3.19.0`](https://github.com/jonasbb/serde_with/releases/tag/v3.19.0): serde_with v3.19.0 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.18.0...v3.19.0) ##### Added - Add support for `hashbrown` v0.17 ([#&#8203;940](https://github.com/jonasbb/serde_with/issues/940)) This extends the existing support for `hashbrown` to the newly released version. ### [`v3.18.0`](https://github.com/jonasbb/serde_with/releases/tag/v3.18.0): serde_with v3.18.0 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.17.0...v3.18.0) ##### Added - Support `OneOrMany` with more sequence and set types ([#&#8203;929](https://github.com/jonasbb/serde_with/issues/929)) ##### Changed - Bump MSRV to 1.88 due to the `darling` dependency ### [`v3.17.0`](https://github.com/jonasbb/serde_with/releases/tag/v3.17.0): serde_with v3.17.0 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.16.1...v3.17.0) ##### Added - Support `OneOrMany` with `smallvec` v1 ([#&#8203;920](https://github.com/jonasbb/serde_with/issues/920), [#&#8203;922](https://github.com/jonasbb/serde_with/issues/922)) ##### Changed - Switch to `yaml_serde` for a maintained yaml dependency by [@&#8203;kazan417](https://github.com/kazan417) ([#&#8203;921](https://github.com/jonasbb/serde_with/issues/921)) - Bump MSRV to 1.82, since that is required for `yaml_serde` dev-dependency. ### [`v3.16.1`](https://github.com/jonasbb/serde_with/releases/tag/v3.16.1): serde_with v3.16.1 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.16.0...v3.16.1) ##### Fixed - Fix `JsonSchemaAs` of `SetPreventDuplicates` and `SetLastValueWins`. ([#&#8203;906](https://github.com/jonasbb/serde_with/issues/906), [#&#8203;907](https://github.com/jonasbb/serde_with/issues/907)) ### [`v3.16.0`](https://github.com/jonasbb/serde_with/releases/tag/v3.16.0): serde_with v3.16.0 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.15.1...v3.16.0) ##### Added - Added support for `smallvec` v1 under the `smallvec_1` feature flag by [@&#8203;isharma228](https://github.com/isharma228) ([#&#8203;895](https://github.com/jonasbb/serde_with/issues/895)) - Add `JsonSchemaAs` implementation for `json::JsonString` by [@&#8203;yogevm15](https://github.com/yogevm15) ([#&#8203;901](https://github.com/jonasbb/serde_with/issues/901)) ### [`v3.15.1`](https://github.com/jonasbb/serde_with/releases/tag/v3.15.1): serde_with v3.15.1 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.15.0...v3.15.1) ##### Fixed - Fix building of the documentation by updating references to use `serde_core`. ### [`v3.15.0`](https://github.com/jonasbb/serde_with/releases/tag/v3.15.0): serde_with v3.15.0 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.14.1...v3.15.0) ##### Added - Added error inspection to `VecSkipError` and `MapSkipError` by [@&#8203;michelhe](https://github.com/michelhe) ([#&#8203;878](https://github.com/jonasbb/serde_with/issues/878)) This allows interacting with the previously hidden error, for example for logging. Checkout the newly added example to both types. - Allow documenting the types generated by `serde_conv!`. The `serde_conv!` macro now acceps outer attributes before the optional visibility modifier. This allow adding doc comments in the shape of `#[doc = "..."]` or any other attributes, such as lint modifiers. ```rust serde_conv!( #[doc = "Serialize bools as string"] #[allow(dead_code)] pub BoolAsString, bool, |x: &bool| ::std::string::ToString::to_string(x), |x: ::std::string::String| x.parse() ); ``` - Add support for `hashbrown` v0.16 ([#&#8203;877](https://github.com/jonasbb/serde_with/issues/877)) This extends the existing support for `hashbrown` v0.14 and v0.15 to the newly released version. ##### Changed - Bump MSRV to 1.76, since that is required for `toml` dev-dependency. ### [`v3.14.1`](https://github.com/jonasbb/serde_with/releases/tag/v3.14.1): serde_with v3.14.1 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.14.0...v3.14.1) ##### Fixed - Show macro expansion in the docs.rs generated rustdoc. Since macros are used to generate trait implementations, this is useful to understand the exact generated code. ### [`v3.14.0`](https://github.com/jonasbb/serde_with/releases/tag/v3.14.0): serde_with v3.14.0 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.13.0...v3.14.0) ##### Added - Add support for `Range`, `RangeFrom`, `RangeTo`, `RangeInclusive` ([#&#8203;851](https://github.com/jonasbb/serde_with/issues/851)) `RangeToInclusive` is currently unsupported by serde. - Add `schemars` implementations for `Bound`, `Range`, `RangeFrom`, `RangeTo`, `RangeInclusive`. - Added support for `schemars` v1 under the `schemars_1` feature flag ### [`v3.13.0`](https://github.com/jonasbb/serde_with/releases/tag/v3.13.0): serde_with v3.13.0 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.12.0...v3.13.0) ##### Added - Added support for `schemars` v0.9.0 under the `schemars_0_9` feature flag by [@&#8203;swlynch99](https://github.com/swlynch99) ([#&#8203;849](https://github.com/jonasbb/serde_with/issues/849)) - Introduce `SerializeDisplayAlt` derive macro ([#&#8203;833](https://github.com/jonasbb/serde_with/issues/833)) An alternative to the `SerializeDisplay` macro except instead of using the plain formatting like `format!("{}", ...)`, it serializes with the `Formatter::alternate` flag set to true, like `format!("{:#}", ...)` ##### Changed - Generalize `serde_with::rust::unwrap_or_skip` to support deserializing references by [@&#8203;beroal](https://github.com/beroal) ([#&#8203;832](https://github.com/jonasbb/serde_with/issues/832)) - Bump MSRV to 1.71, since that is required for the `jsonschema` dev-dependency. - Make `serde_conv` available without the `std` feature by [@&#8203;arilou](https://github.com/arilou) ([#&#8203;839](https://github.com/jonasbb/serde_with/issues/839)) - Bump MSRV to 1.74, since that is required for `schemars` v0.9.0 by [@&#8203;swlynch99](https://github.com/swlynch99) ([#&#8203;849](https://github.com/jonasbb/serde_with/issues/849)) ##### Fixed - Make the `DurationSeconds` types and other variants more accessible even without `std` ([#&#8203;845](https://github.com/jonasbb/serde_with/issues/845)) ### [`v3.12.0`](https://github.com/jonasbb/serde_with/releases/tag/v3.12.0): serde_with v3.12.0 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.11.0...v3.12.0) ##### Added - Add `with_suffix!` macro, which puts a suffix on every struct field by [@&#8203;fgardt](https://github.com/fgardt) ([#&#8203;381](https://github.com/jonasbb/serde_with/issues/381)/[#&#8203;797](https://github.com/jonasbb/serde_with/issues/797)) ##### Changed - Reformat all `Cargo.toml` files by [@&#8203;nyurik](https://github.com/nyurik) ([#&#8203;803](https://github.com/jonasbb/serde_with/issues/803)) - Better handle internal arithmetic and improve error messages ([#&#8203;809](https://github.com/jonasbb/serde_with/issues/809)/[#&#8203;810](https://github.com/jonasbb/serde_with/issues/810)/[#&#8203;811](https://github.com/jonasbb/serde_with/issues/811)) ##### Fixed - Generated schemas are not valid when using rust style names in ref by [@&#8203;waltronix](https://github.com/waltronix) ([#&#8203;798](https://github.com/jonasbb/serde_with/issues/798)/[#&#8203;799](https://github.com/jonasbb/serde_with/issues/799)) ### [`v3.11.0`](https://github.com/jonasbb/serde_with/releases/tag/v3.11.0): serde_with v3.11.0 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.10.0...v3.11.0) ##### Added - Add support for `hashbrown` v0.15 ([#&#8203;787](https://github.com/jonasbb/serde_with/issues/787)/[#&#8203;790](https://github.com/jonasbb/serde_with/issues/790)) This extends the existing support for `hashbrown` v0.14 to the newly released version. ### [`v3.10.0`](https://github.com/jonasbb/serde_with/releases/tag/v3.10.0): serde_with v3.10.0 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.9.0...v3.10.0) ##### Added - Add newline separator by [@&#8203;jayvdb](https://github.com/jayvdb) ([#&#8203;777](https://github.com/jonasbb/serde_with/issues/777)) The `UnixLineSeparator` and `DosLineSeparator` can be used together with `StringWithSeparator`. ##### Fixed - Proper handling of `cfg_attr` in the `serde_as` macro by [@&#8203;sivizius](https://github.com/sivizius) ([#&#8203;782](https://github.com/jonasbb/serde_with/issues/782)) This allows to parse more valid forms of the `cfg_attr` macro, including multiple values and attribute that do not follow the `key = value` schema. ### [`v3.9.0`](https://github.com/jonasbb/serde_with/releases/tag/v3.9.0): serde_with v3.9.0 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.8.3...v3.9.0) ##### Added - Deserialize a map\` and skip all elements failing to deserialize by [@&#8203;johnmave126](https://github.com/johnmave126) ([#&#8203;763](https://github.com/jonasbb/serde_with/issues/763)) `MapSkipError` acts like a map (`HashMap`/`BTreeMap`), but keys or values that fail to deserialize, like are ignored. For formats with heterogeneously typed maps, we can collect only the elements where both key and value are deserializable. This is also useful in conjunction to `#[serde(flatten)]` to ignore some entries when capturing additional fields. ```text // JSON "value": {"0": "v0", "5": "v5", "str": "str", "10": 2}, // Rust #[serde_as(as = "MapSkipError<DisplayFromStr, _>")] value: BTreeMap<u32, String>, // Only deserializes entries with a numerical key and a string value, i.e., {0 => "v0", 5 => "v5"} ``` ### [`v3.8.3`](https://github.com/jonasbb/serde_with/releases/tag/v3.8.3): serde_with v3.8.3 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.8.2...v3.8.3) ##### Fixed - Fix compile issues when dependency `schemars_0_8` is used with the `preserve_order` features ([#&#8203;762](https://github.com/jonasbb/serde_with/issues/762)) ### [`v3.8.2`](https://github.com/jonasbb/serde_with/releases/tag/v3.8.2): serde_with v3.8.2 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.8.1...v3.8.2) ##### Changed - Bump MSRV to 1.67, since that is required for the `time` dependency. The `time` version needed to be updated for nightly compatibility. ##### Fixed - Implement `JsonSchemaAs` for `OneOrMany` instead of `JsonSchema` by [@&#8203;swlynch99](https://github.com/swlynch99) ([#&#8203;760](https://github.com/jonasbb/serde_with/issues/760)) ### [`v3.8.1`](https://github.com/jonasbb/serde_with/releases/tag/v3.8.1): serde_with v3.8.1 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.8.0...v3.8.1) ##### Fixed - Do not emit `schemars(deserialize_with = "...")` annotations, as `schemars` does not support them ([#&#8203;735](https://github.com/jonasbb/serde_with/issues/735)) Thanks to [@&#8203;sivizius](https://github.com/sivizius) for reporting the issue. ### [`v3.8.0`](https://github.com/jonasbb/serde_with/releases/tag/v3.8.0): serde_with v3.8.0 [Compare Source](https://github.com/jonasbb/serde_with/compare/v3.7.0...v3.8.0) ##### Added - Implement (De)Serialization for Pinned Smart Pointers by [@&#8203;Astralchroma](https://github.com/Astralchroma) ([#&#8203;733](https://github.com/jonasbb/serde_with/issues/733)) - Implement `JsonSchemaAs` for `PickFirst` by [@&#8203;swlynch99](https://github.com/swlynch99) ([#&#8203;721](https://github.com/jonasbb/serde_with/issues/721)) ##### Changed - Bump `base64` dependency to v0.22 ([#&#8203;724](https://github.com/jonasbb/serde_with/issues/724)) - Update dev dependencies ##### Fixed - `serde_conv` regressed and triggered `clippy::ptr_arg` and add test to prevent future problems. ([#&#8203;731](https://github.com/jonasbb/serde_with/issues/731)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNTMuMSIsInVwZGF0ZWRJblZlciI6IjQzLjI1My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
renovate added 1 commit 2026-07-15 23:52:31 -07:00
chore(deps): update rust crate serde_with to 3.21.0 [security]
Some checks failed
Validate / Check (push) Waiting to run
Validate / Check-2 (push) Waiting to run
Validate / Test Suite (push) Waiting to run
Validate / Test Suite-2 (push) Waiting to run
Validate / Check-1 (push) Failing after 1s
Validate / Test Suite-1 (push) Failing after 1s
Validate / Lints (push) Failing after 1s
28fcb06cdf
Some checks failed
Validate / Check (push) Waiting to run
Validate / Check-2 (push) Waiting to run
Validate / Test Suite (push) Waiting to run
Validate / Test Suite-2 (push) Waiting to run
Validate / Check-1 (push) Failing after 1s
Validate / Test Suite-1 (push) Failing after 1s
Validate / Lints (push) Failing after 1s
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/crate-serde_with-vulnerability:renovate/crate-serde_with-vulnerability
git checkout renovate/crate-serde_with-vulnerability

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git checkout main
git merge --no-ff renovate/crate-serde_with-vulnerability
git checkout renovate/crate-serde_with-vulnerability
git rebase main
git checkout main
git merge --ff-only renovate/crate-serde_with-vulnerability
git checkout renovate/crate-serde_with-vulnerability
git rebase main
git checkout main
git merge --no-ff renovate/crate-serde_with-vulnerability
git checkout main
git merge --squash renovate/crate-serde_with-vulnerability
git checkout main
git merge --ff-only renovate/crate-serde_with-vulnerability
git checkout main
git merge renovate/crate-serde_with-vulnerability
git push origin main
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Sulkta-OSS/pallas#16
No description provided.