chore: replace serde-yml with serde-saphyr

- serde-yml has an un-addressed [security issue][sec-issue] - [saphyr][saphyr] is a pretty recent and active crate that deals with YAML parsing - based on that, someone recently created [serde-saphyr][serde-saphyr] --- The change was pretty straightforward and mostly "just a search and replace". The new crate has it's `Error` type split into serialization and derserialization errors. Hence I created one Continuwuity-Error variant for each instead of just having a single `Yaml` variant. This was already done previously with the `Toml` errors so I thought this would be rather acceptable. [sec-issue]: https://github.com/advisories/GHSA-gfxp-f68g-8x78 [saphyr]: https://github.com/saphyr-rs/saphyr [serde-saphyr]: https://github.com/saphyr-rs/saphyr/issues/66#issuecomment-3353212289
2025-11-09 11:23:32 +01:00 · 2025-11-09 11:23:32 +01:00 · 866769c054
commit 866769c054
parent 2e3b71f5f1
8 changed files with 96 additions and 51 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -141,6 +141,12 @@ dependencies = [
 "password-hash",
 ]

+[[package]]
+name = "arraydeque"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d902e3d592a523def97af8f317b08ce16b7ab854c1985a0c671e6f15cebc236"
+
 [[package]]
 name = "arrayvec"
 version = "0.7.6"
@ -719,7 +725,7 @@ version = "0.15.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d067ad48b8650848b989a59a86c6c36a995d02d2bf778d45c3c5d57bc2718f02"
 dependencies = [
- "smallvec",
+ "smallvec 1.15.1",
 "target-lexicon",
 ]

@ -920,8 +926,8 @@ dependencies = [
 "futures",
 "log",
 "ruma",
+ "serde-saphyr",
 "serde_json",
- "serde_yml",
 "tokio",
 "tracing",
 "tracing-subscriber",
@ -1010,11 +1016,11 @@ dependencies = [
 "ruma",
 "sanitize-filename",
 "serde",
+ "serde-saphyr",
 "serde_json",
 "serde_regex",
- "serde_yml",
 "smallstr",
- "smallvec",
+ "smallvec 1.15.1",
 "thiserror 2.0.17",
 "tikv-jemalloc-ctl",
 "tikv-jemalloc-sys",
@ -1123,8 +1129,8 @@ dependencies = [
 "rustyline-async",
 "sd-notify",
 "serde",
+ "serde-saphyr",
 "serde_json",
- "serde_yml",
 "sha2",
 "termimad",
 "tokio",
@ -1691,7 +1697,7 @@ dependencies = [
 "lebe",
 "miniz_oxide",
 "rayon-core",
- "smallvec",
+ "smallvec 1.15.1",
 "zune-inflate",
 ]

@ -1784,6 +1790,12 @@ version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"

+[[package]]
+name = "foldhash"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
+
 [[package]]
 name = "form_urlencoded"
 version = "1.2.2"
@ -2019,12 +2031,30 @@ version = "0.12.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"

+[[package]]
+name = "hashbrown"
+version = "0.15.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
+dependencies = [
+ "foldhash",
+]
+
 [[package]]
 name = "hashbrown"
 version = "0.16.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5419bdc4f6a9207fbeba6d11b604d481addf78ecd10c11ad51e76c2f6482748d"

+[[package]]
+name = "hashlink"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7382cf6263419f2d8df38c55d7da83da5c18aef87fc7a7fc1fb1e344edfe14c1"
+dependencies = [
+ "hashbrown 0.15.5",
+]
+
 [[package]]
 name = "hdrhistogram"
 version = "7.5.4"
@ -2122,7 +2152,7 @@ dependencies = [
 "rand 0.9.2",
 "resolv-conf",
 "serde",
- "smallvec",
+ "smallvec 1.15.1",
 "thiserror 2.0.17",
 "tokio",
 "tracing",
@ -2241,7 +2271,7 @@ dependencies = [
 "itoa",
 "pin-project-lite",
 "pin-utils",
- "smallvec",
+ "smallvec 1.15.1",
 "tokio",
 "want",
 ]
@ -2338,7 +2368,7 @@ dependencies = [
 "icu_normalizer_data",
 "icu_properties",
 "icu_provider",
- "smallvec",
+ "smallvec 1.15.1",
 "zerovec",
 ]

@ -2394,7 +2424,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de"
 dependencies = [
 "idna_adapter",
- "smallvec",
+ "smallvec 1.15.1",
 "utf8_iter",
 ]

@ -2713,16 +2743,6 @@ dependencies = [
 "windows-link 0.2.1",
 ]

-[[package]]
-name = "libyml"
-version = "0.0.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3302702afa434ffa30847a83305f0a69d6abd74293b6554c18ec85c7ef30c980"
-dependencies = [
- "anyhow",
- "version_check",
-]
-
 [[package]]
 name = "libz-sys"
 version = "1.1.22"
@ -2972,7 +2992,7 @@ dependencies = [
 "parking_lot",
 "portable-atomic",
 "rustc_version",
- "smallvec",
+ "smallvec 1.15.1",
 "tagptr",
 "uuid",
 ]
@ -3005,6 +3025,12 @@ dependencies = [
 "libc",
 ]

+[[package]]
+name = "nohash-hasher"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2bf50223579dc7cdcfb3bfcacf7069ff68243f8c363f62ffa99cf000a6b9c451"
+
 [[package]]
 name = "nom"
 version = "7.1.3"
@ -3305,7 +3331,7 @@ dependencies = [
 "libc",
 "petgraph",
 "redox_syscall",
- "smallvec",
+ "smallvec 1.15.1",
 "windows-link 0.2.1",
 ]

@ -4074,7 +4100,7 @@ dependencies = [
 "serde",
 "serde_html_form",
 "serde_json",
- "smallvec",
+ "smallvec 1.15.1",
 "thiserror 2.0.17",
 "time",
 "tracing",
@ -4101,7 +4127,7 @@ dependencies = [
 "ruma-macros",
 "serde",
 "serde_json",
- "smallvec",
+ "smallvec 1.15.1",
 "thiserror 2.0.17",
 "tracing",
 "url",
@ -4357,6 +4383,16 @@ dependencies = [
 "regex",
 ]

+[[package]]
+name = "saphyr-parser"
+version = "0.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fb771b59f6b1985d1406325ec28f97cfb14256abcec4fdfb37b36a1766d6af7"
+dependencies = [
+ "arraydeque",
+ "hashlink",
+]
+
 [[package]]
 name = "schannel"
 version = "0.1.28"
@ -4553,6 +4589,22 @@ dependencies = [
 "serde_derive",
 ]

+[[package]]
+name = "serde-saphyr"
+version = "0.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fd76af9505b2498740576f95f60b3b4e2c469b5b677a8d2dd1d2da18b58193de"
+dependencies = [
+ "base64 0.22.1",
+ "nohash-hasher",
+ "num-traits",
+ "ryu",
+ "saphyr-parser",
+ "serde",
+ "serde_json",
+ "smallvec 2.0.0-alpha.11",
+]
+
 [[package]]
 name = "serde_core"
 version = "1.0.228"
@ -4650,21 +4702,6 @@ dependencies = [
 "serde",
 ]

-[[package]]
-name = "serde_yml"
-version = "0.0.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "59e2dd588bf1597a252c3b920e0143eb99b0f76e4e082f4c92ce34fbc9e71ddd"
-dependencies = [
- "indexmap 2.11.4",
- "itoa",
- "libyml",
- "memchr",
- "ryu",
- "serde",
- "version_check",
-]
-
 [[package]]
 name = "sha1"
 version = "0.10.6"
@ -4775,7 +4812,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "862077b1e764f04c251fe82a2ef562fd78d7cadaeb072ca7c2bcaf7217b1ff3b"
 dependencies = [
 "serde",
- "smallvec",
+ "smallvec 1.15.1",
 ]

 [[package]]
@ -4787,6 +4824,12 @@ dependencies = [
 "serde",
 ]

+[[package]]
+name = "smallvec"
+version = "2.0.0-alpha.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "87b96efa4bd6bdd2ff0c6615cc36fc4970cbae63cfd46ddff5cee35a1b4df570"
+
 [[package]]
 name = "socket2"
 version = "0.5.10"
@ -5474,7 +5517,7 @@ dependencies = [
 "once_cell",
 "opentelemetry",
 "opentelemetry_sdk",
- "smallvec",
+ "smallvec 1.15.1",
 "tracing",
 "tracing-core",
 "tracing-log",
@ -5492,7 +5535,7 @@ dependencies = [
 "once_cell",
 "regex",
 "sharded-slab",
- "smallvec",
+ "smallvec 1.15.1",
 "thread_local",
 "tracing",
 "tracing-core",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -166,8 +166,8 @@ default-features = false
 features = ["raw_value"]

 # Used for appservice registration files
-[workspace.dependencies.serde_yml]
-version = "0.0.12"
+[workspace.dependencies.serde-saphyr]
+version = "0.0.7"

 # Used to load forbidden room/user regex from config
 [workspace.dependencies.serde_regex]
--- a/src/admin/Cargo.toml
+++ b/src/admin/Cargo.toml
@ -85,7 +85,7 @@ futures.workspace = true
 log.workspace = true
 ruma.workspace = true
 serde_json.workspace = true
-serde_yml.workspace = true
+serde-saphyr.workspace = true
 tokio.workspace = true
 tracing-subscriber.workspace = true
 tracing.workspace = true
--- a/src/admin/appservice/commands.rs
+++ b/src/admin/appservice/commands.rs
@ -16,7 +16,7 @@ pub(super) async fn register(&self) -> Result {

 	let range = 1..checked!(body_len - 1)?;
 	let appservice_config_body = body[range].join("\n");
-	let parsed_config = serde_yml::from_str(&appservice_config_body);
+	let parsed_config = serde_saphyr::from_str(&appservice_config_body);
 	match parsed_config {
 		| Err(e) => return Err!("Could not parse appservice config as YAML: {e}"),
 		| Ok(registration) => match self
@ -57,7 +57,7 @@ pub(super) async fn show_appservice_config(&self, appservice_identifier: String)
 	{
 		| None => return Err!("Appservice does not exist."),
 		| Some(config) => {
-			let config_str = serde_yml::to_string(&config)?;
+			let config_str = serde_saphyr::to_string(&config)?;
 			write!(self, "Config for {appservice_identifier}:\n\n```yaml\n{config_str}\n```")
 		},
 	}
--- a/src/core/Cargo.toml
+++ b/src/core/Cargo.toml
@ -92,7 +92,7 @@ ruma.workspace = true
 sanitize-filename.workspace = true
 serde_json.workspace = true
 serde_regex.workspace = true
-serde_yml.workspace = true
+serde-saphyr.workspace = true
 serde.workspace = true
 smallvec.workspace = true
 smallstr.workspace = true
--- a/src/core/error/mod.rs
+++ b/src/core/error/mod.rs
@ -83,7 +83,9 @@ pub enum Error {
 	#[error(transparent)]
 	TypedHeader(#[from] axum_extra::typed_header::TypedHeaderRejection),
 	#[error(transparent)]
-	Yaml(#[from] serde_yml::Error),
+	YamlDe(#[from] serde_saphyr::Error),
+	#[error(transparent)]
+	YamlSer(#[from] serde_saphyr::ser_error::Error),

 	// ruma/conduwuit
 	#[error("Arithmetic operation failed: {0}")]
--- a/src/service/Cargo.toml
+++ b/src/service/Cargo.toml
@ -108,7 +108,7 @@ rustyline-async.workspace = true
 rustyline-async.optional = true
 serde_json.workspace = true
 serde.workspace = true
-serde_yml.workspace = true
+serde-saphyr.workspace = true
 sha2.workspace = true
 termimad.workspace = true
 termimad.optional = true
--- a/src/service/appservice/mod.rs
+++ b/src/service/appservice/mod.rs
@ -271,7 +271,7 @@ impl Service {
 			.id_appserviceregistrations
 			.get(id)
 			.await
-			.and_then(|ref bytes| serde_yml::from_slice(bytes).map_err(Into::into))
+			.and_then(|ref bytes| serde_saphyr::from_slice(bytes).map_err(Into::into))
 			.map_err(|e| err!(Database("Invalid appservice {id:?} registration: {e:?}")))
 	}