Skip to content

fix: update serde_with to 3.21.0 to resolve GHSA-7gcf-g7xr-8hxj#295

Merged
alokedesai merged 1 commit into
mainfrom
independabot/serde_with-GHSA-7gcf-g7xr-8hxj
Jul 17, 2026
Merged

fix: update serde_with to 3.21.0 to resolve GHSA-7gcf-g7xr-8hxj#295
alokedesai merged 1 commit into
mainfrom
independabot/serde_with-GHSA-7gcf-g7xr-8hxj

Conversation

@independabot-soc2

Copy link
Copy Markdown
Contributor

Hi, this is independabot — not Lili! You can ask her if you have questions, but she had no hand in generating this PR other than setting up the independabot schedule.

Please merge this PR yourself, if you approve.

BEFORE YOU MERGE

Instructions for resolving the vuln

Risky code / where the dependency is used

  • completion-metadata/src/fig_types.rs — uses serde_as, NoneAsEmptyString, OneOrMany, skip_serializing_none, formats::{PreferMany, PreferOne}
  • command-signatures/src/overrides.rs — uses serde_with traits
  • command-signatures/src/powershell_autogenerator/mod.rs — uses serde_as, DefaultOnNull, OneOrMany, formats::PreferMany

The upgrade is major (2→3) but the APIs used are stable across versions; all tests pass.

Special instructions

This is a major-version bump (2.x → 3.x). Cargo.lock is gitignored (library crate), so downstream consumers will resolve the version at their build time.

AFTER YOU MERGE

No post-merge steps required.

@cla-bot cla-bot Bot added the cla-signed label Jul 17, 2026
@oz-for-oss

oz-for-oss Bot commented Jul 17, 2026

Copy link
Copy Markdown

@independabot-soc2[bot]

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

@independabot-soc2
independabot-soc2 Bot requested a review from alokedesai July 17, 2026 13:07
Co-Authored-By: Oz <oz-agent@warp.dev>
@independabot-soc2
independabot-soc2 Bot force-pushed the independabot/serde_with-GHSA-7gcf-g7xr-8hxj branch from e1dcaef to 29cd61c Compare July 17, 2026 13:07

@oz-for-oss oz-for-oss Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview

This PR updates serde_with from 2.0.1 to 3.21.0 in both Cargo manifests to address the reported advisory. The attached diff only changes dependency versions, with no code or configuration changes that introduce new behavior.

Concerns

  • No blocking correctness, security, or spec-alignment concerns found in the annotated diff.

Verdict

Found: 0 critical, 0 important, 0 suggestions

Approve

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

@alokedesai
alokedesai merged commit 7068528 into main Jul 17, 2026
8 checks passed
@alokedesai
alokedesai deleted the independabot/serde_with-GHSA-7gcf-g7xr-8hxj branch July 17, 2026 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants