mirror of
https://github.com/rust-lang/rust-analyzer
synced 2024-12-28 22:13:39 +00:00
6c46b98a95
serde 1.0.172 and up rely on opaque non-reproducible binary blobs to function, explicitly not providing a library-level opt-out. This is problematic for two reasons: - directly, unauditable binary blobs are a security issue. - indirectly, it becomes much harder to predict future behaviors of the crate. As such, I am willing to go on a limb here and forbid building rust-analyzer with those versions of serde. Normally, my philosophy is to defer the choice to the end user, but it's also a design constraint of rust-analyzer that we don't run random binaries downloaded from the internet without explicit user's concent. Concretely, this upper-bounds serde for both rust-analyzer workspace, as well as the lsp-server lib. See https://github.com/serde-rs/serde/issues/2538 for wider context.
17 lines
509 B
TOML
17 lines
509 B
TOML
[package]
|
|
name = "lsp-server"
|
|
version = "0.7.3"
|
|
description = "Generic LSP server scaffold."
|
|
license = "MIT OR Apache-2.0"
|
|
repository = "https://github.com/rust-lang/rust-analyzer/tree/master/lib/lsp-server"
|
|
edition = "2021"
|
|
|
|
[dependencies]
|
|
log = "0.4.17"
|
|
serde_json = "1.0.96"
|
|
# See https://github.com/serde-rs/serde/issues/2538#issuecomment-1684517372 for why we pin serde
|
|
serde = { version = "1.0.156, < 1.0.172", features = ["derive"] }
|
|
crossbeam-channel = "0.5.6"
|
|
|
|
[dev-dependencies]
|
|
lsp-types = "=0.94"
|