From 1e331cc9eaa446bc722159aee783bcec2c93dfdb Mon Sep 17 00:00:00 2001 From: Eric Kidd Date: Sun, 20 Aug 2023 09:33:27 -0400 Subject: [PATCH] v1.3.11: Revert binary `serde_derive` plugin See https://github.com/serde-rs/serde/issues/2538 --- CHANGELOG.md | 6 ++++++ Cargo.lock | 2 +- Cargo.toml | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e4aee3a..905016a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.3.11] - 2023-08-20 + +### Security + +- Roll back `serde_derive` to version 1.0.171 and pin it there, to avoid using [the new `serde_derive` that uses a pre-built binary compiler plugin](https://github.com/serde-rs/serde/issues/2538). The binary plugin has not been successfully reproduced from source when I last looked, and it represents an unacceptable security risk, since it can't be audited without disassembling the binary code. We'll need a longer-term plan for this. + ## [1.3.10] - 2023-08-11 ### Fixed diff --git a/Cargo.lock b/Cargo.lock index 47f281d..191fa93 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -847,7 +847,7 @@ dependencies = [ [[package]] name = "geocode-csv" -version = "1.3.10" +version = "1.3.11" dependencies = [ "anyhow", "async-trait", diff --git a/Cargo.toml b/Cargo.toml index 697fcc6..a139524 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "geocode-csv" -version = "1.3.10" +version = "1.3.11" authors = ["Eric Kidd "] edition = "2018"