fix: update serde_with to 3.21.0 to resolve GHSA-7gcf-g7xr-8hxj#295
Merged
Conversation
|
@independabot-soc2[bot] I'm starting a first review of this pull request. You can view the conversation on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
Co-Authored-By: Oz <oz-agent@warp.dev>
independabot-soc2
Bot
force-pushed
the
independabot/serde_with-GHSA-7gcf-g7xr-8hxj
branch
from
July 17, 2026 13:07
e1dcaef to
29cd61c
Compare
There was a problem hiding this comment.
Overview
This PR updates serde_with from 2.0.1 to 3.21.0 in both Cargo manifests to address the reported advisory. The attached diff only changes dependency versions, with no code or configuration changes that introduce new behavior.
Concerns
- No blocking correctness, security, or spec-alignment concerns found in the annotated diff.
Verdict
Found: 0 critical, 0 important, 0 suggestions
Approve
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
alokedesai
approved these changes
Jul 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi, this is independabot — not Lili! You can ask her if you have questions, but she had no hand in generating this PR other than setting up the independabot schedule.
Please merge this PR yourself, if you approve.
BEFORE YOU MERGE
Instructions for resolving the vuln
serde_withbumped from 2.0.1 → 3.21.0 in bothcompletion-metadata/Cargo.tomlandcommand-signatures/Cargo.tomlcargo audit— 0 advisories;cargo build— clean;cargo test— 10/10 passedRisky code / where the dependency is used
completion-metadata/src/fig_types.rs— usesserde_as,NoneAsEmptyString,OneOrMany,skip_serializing_none,formats::{PreferMany, PreferOne}command-signatures/src/overrides.rs— usesserde_withtraitscommand-signatures/src/powershell_autogenerator/mod.rs— usesserde_as,DefaultOnNull,OneOrMany,formats::PreferManyThe upgrade is major (2→3) but the APIs used are stable across versions; all tests pass.
Special instructions
This is a major-version bump (2.x → 3.x).
Cargo.lockis gitignored (library crate), so downstream consumers will resolve the version at their build time.AFTER YOU MERGE
No post-merge steps required.