serde-yaml VS advisory-db

Either https://github.com/chyh1990/yaml-rust or https://github.com/dtolnay/serde-yaml for parsing the YAML config file that markdownlint uses

Serde for most of your input and output formats, with the serde-yaml and csv crates for format backends.

serde_yaml

This is especially useful for data deserialization: Just by implementing the Serialize and Deserialize traits from the serde crate, the (almost) universally used serialization library in the Rust world, we can then serialize and deserialize our types to a lot of data formats: JSON, YAML, TOML, BSON and so on...

FYI, I opened pull requests for serde_json and serde_yaml to explicitly enable indexmap/std, and dtolnay already merged and published them both!

Pair that with Serde for serialization/deserialization (JSON, TOML, YAML, CSV/TSV, XML, URL query strings, etc.), Figment for configuration, and ignore for filesystem traversal with blacklist support, and Rust is a real joy for writing CLI utilities.

I see that are packages like https://github.com/dtolnay/serde-yaml and the parser where serde is built on that give a Yaml representation, but I don't see any way to walk through it in a generic way with a Visitor.

With the understanding we’ve built of the runtime environment, I feel ready to start porting a simple CLI I’ve built in Rust to run in WebAssembly as a service hosted in Hippo. [The project we’ll start with is J2Y(https://github.com/smurawski/j2y/tree/1-getting-started) – which is a little Rust application that converts JSON to YAML or YAML to JSON. We’ll adapt this to, depending on the target, either be a CLI or a WebAssembly binary to run in WAGI. The heavy lifting of the conversion is done by the serde-json and the serde-yaml crates.

You might also want to add this to https://github.com/rustsec/advisory-db so that cargo audit and Dependabot surface it.

The behavior of not extracting outside the specified directory has been the default since forever in Rust's tar. And then it had two RUSTSEC advisories for not handling this correctly in certain corner cases. The latest one in 2021.

cargo-audit only checks for known issues reported to a vulnerability database.

However, I keep getting this error when running cargo audit bin ~/.cargo/bin/*, even if I replace * with a specific binary: Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 467 security advisories (from C:\Users\jonah\.cargo\advisory-db) Updating crates.io index error: I/O operation failed: The system cannot find the path specified. (os error 3) I'm on Windows 10.

I usually open an issue asking if the crate is still maintained. If there isn't a response for a decent amount of time (like multiple months) and the crate is somewhat popular then it could be worth opening an unmaintained advisory in the advisory-db

Here is the visualization of RustSec Advisory Database. I hope it will be helpful. If you need any more charts, feel free to comment.

FWIW the RustSec database is still not synced into the Github databse on a regular basis, even though they did an initial import of it. So the cargo audit github action is still relevant.