diff options
| author | Alex Kladov <aleksey.kladov@gmail.com> | 2023-08-19 13:41:13 +0100 |
|---|---|---|
| committer | Alex Kladov <aleksey.kladov@gmail.com> | 2023-08-19 14:14:23 +0100 |
| commit | 6c46b98a9532b93c538b3553a7ff6ab4aa50655c (patch) | |
| tree | c40d2a6cba33557e6d97c24e3f50a1d43e1c9780 /compiler/rustc_llvm/llvm-wrapper/RustWrapper.cpp | |
| parent | 721e0e3512c11028221edb4cbee2c03baff54848 (diff) | |
| download | rust-6c46b98a9532b93c538b3553a7ff6ab4aa50655c.tar.gz rust-6c46b98a9532b93c538b3553a7ff6ab4aa50655c.zip | |
fix: avoid problematic serde release
serde 1.0.172 and up rely on opaque non-reproducible binary blobs to function, explicitly not providing a library-level opt-out. This is problematic for two reasons: - directly, unauditable binary blobs are a security issue. - indirectly, it becomes much harder to predict future behaviors of the crate. As such, I am willing to go on a limb here and forbid building rust-analyzer with those versions of serde. Normally, my philosophy is to defer the choice to the end user, but it's also a design constraint of rust-analyzer that we don't run random binaries downloaded from the internet without explicit user's concent. Concretely, this upper-bounds serde for both rust-analyzer workspace, as well as the lsp-server lib. See https://github.com/serde-rs/serde/issues/2538 for wider context.
Diffstat (limited to 'compiler/rustc_llvm/llvm-wrapper/RustWrapper.cpp')
0 files changed, 0 insertions, 0 deletions