Skip to content

chore(deps): bump serde_with from 3.18.0 to 3.21.0#1475

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/serde_with-3.21.0
Open

chore(deps): bump serde_with from 3.18.0 to 3.21.0#1475
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/serde_with-3.21.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps serde_with from 3.18.0 to 3.21.0.

Release notes

Sourced from serde_with's releases.

serde_with v3.21.0

Security

  • GHSA-7gcf-g7xr-8hxj: KeyValueMap serialization panics on empty sequence or map entries Bad or attacker controlled values could cause a panic while allocating too large values. Fixed in #966 by setting a maximum allocation size during the creation of collections like Vec or sets.

    Thanks to @​7thParkk for reporting the issue.

Added

  • Add NoneAsZero adapter that maps Option<NonZero*> to a plain integer, encoding None as 0 by @​SAY-5 (#486)

Changed

  • Re-enable link-to-definition on docs.rs (#964)

Fixed

  • Fix some doc links to point to the correct types (#963)
  • Re-enable unused_qualifications and fix the resulting findings by @​lms0806 (#962)

serde_with v3.20.0

Added

  • Add support for base58 encoding, similar to the existing base64 setup by @​mitinarseny (#943)

Fixed

serde_with v3.19.0

Added

  • Add support for hashbrown v0.17 (#940)

    This extends the existing support for hashbrown to the newly released version.

Commits
  • 0f4ca67 Update changelog for 3.21.0 (#967)
  • 7654841 Update changelog for 3.21.0
  • c8a1d82 Protect all collection creations against capacity overflow by using `size_hin...
  • 6ad5fa5 Properly feature gate the vec_with_capacity_cautious function
  • ef7d141 Protect all collection creations against capacity overflow by using `size_hin...
  • a348da3 Add serde_as deserialize_as explain (#958)
  • 2e5bc20 Bump the github-actions group with 3 updates (#965)
  • 927a3d6 Bump the github-actions group with 3 updates
  • 62d14ec Enable link-to-definition on docs.rs again, after the upstream issue was reso...
  • 4584d94 Enable link-to-definition on docs.rs again, after the upstream issue was reso...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [serde_with](https://github.com/jonasbb/serde_with) from 3.18.0 to 3.21.0.
- [Release notes](https://github.com/jonasbb/serde_with/releases)
- [Commits](jonasbb/serde_with@v3.18.0...v3.21.0)

---
updated-dependencies:
- dependency-name: serde_with
  dependency-version: 3.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels Jul 13, 2026

@tangletools tangletools left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 Value Audit — sound

Verdict sound
Concerns 1 (1 weak-concern)
Heuristic 0.0s
Duplication 0.0s
Interrogation 94.3s (2 bridge agents)
Total 94.3s

💰 Value — sound

Lockfile-only bump of serde_with 3.18.0→3.21.0; picks up a security advisory fix and is the canonical way to keep a declared dep current.

  • What it does: Updates Cargo.lock entries for serde_with and serde_with_macros from 3.18.0 to 3.21.0, pulling in a new transitive bs58 dep (base58 support added in 3.20.0) and updating minor transitive versions (syn, windows-core in wasm-bindgen subtree). No source files change.
  • Goals it achieves: Keep the declared serde_with dependency (Cargo.toml:323, workspace = ^3.14.0) current. The 3.21.0 release notably fixes GHSA-7gcf-g7xr-8hxj (KeyValueMap panic on attacker-controlled empty sequences/maps via oversized allocation), so staying current has a concrete security payoff.
  • Assessment: A standard automated dependency bump. It satisfies the existing workspace version constraint (^3.14.0), touches only Cargo.lock, requires no source changes, and includes a security fix that alone justifies merging. The Cargo.lock diff is exactly what cargo update -p serde_with would produce. No friction with the codebase's grain.
  • Better / existing approach: none — this is the right approach. Checked: rg 'serde_with::|use serde_with|serde_with#' --type rust returns no hits; the crate is declared in crates/pricing-engine/Cargo.toml:54 but not actively referenced in source (the two .rs matches are test function names that happen to contain the substring). That unused-declaration is pre-existing and orthogonal to this bump — it predates the PR and the
  • Model: opencode/zai-coding-plan/glm-5.2
  • Bridge attempts: 2
  • Bridge warning: opencode/kimi-for-coding/k2p7: bridge stream ended without value-audit content

🎯 Usefulness — sound

Routine semver-minor dependabot bump of serde_with (3.18→3.21); harmless Cargo.lock-only change that is standard hygiene, though the dependency itself appears to have no source-level callers in the workspace.

  • Integration: The bump only modifies Cargo.lock (serde_with, serde_with_macros → 3.21.0, plus transitive bs58 add and syn/windows-core shifts). It is reachable insofar as pricing-engine/Cargo.toml:54 declares serde_with = { workspace = true }, so the resolved version propagates correctly through the workspace resolver. No manifest version floor blocks it (workspace floor is 3.14.0). No build breakage expected
  • Fit with existing patterns: Version bumps of workspace dependencies via Cargo.lock are the established maintenance pattern in this repo (recent commits show the same motion for x402-axum, etc.). No competing pattern exists for keeping transitive lockfile entries current. This is fully in the grain of how the repo is maintained.
  • Real-world viability: serde_with 3.21.0 ships a security fix (KeyValueMap panic on attacker-controlled allocation size) and is a mature, widely-used crate, so it holds up under realistic use. The bump is semver-minor with no API removals, so existing (or future) callers won't break. The transitive changes (syn 1.0.109 downgrade for one caller, windows-core 0.62.2 for wasm-bindgen-related path, bs58 added) are benign an
  • Model: opencode/zai-coding-plan/glm-5.2
  • Bridge attempts: 1

🎯 Usefulness Audit

🟡 serde_with appears to be an unused dependency across the entire workspace [integration] ``

Grepped all .rs files: zero use serde_with, zero serde_with::, zero #[serde_with] attributes, zero use of its well-known types (SerializeDisplay, DeserializeFromStr, TimestampSeconds, DurationSeconds, NoneAsZero, KeyValueMap, base58). Declared at Cargo.toml:323 (workspace) and consumed only by crates/pricing-engine/Cargo.toml:54, but pricing-engine/src/ never references it. The two test-name matches (tee/tests/exchange_tests.rs:462, runtime_tests.rs:433) are English phrasing ('serde with e


What this audit checks

It judges the change on its merits — not whether it was tasked out in an issue. Unticketed, fast-moving work is fine; the question is whether the change is good and whether a better or existing approach should be used instead.

Pass What it asks
Heuristic Vague title? Whitespace-only or cruft-bearing diff? (content signals only)
Duplication Do added function/class names already exist elsewhere in the repo?
Value Audit What does it do? What goal does it achieve? Is it good? Better architecture or already-exists?
Usefulness Audit Does it integrate and fit? Will it hold up in real use and actually get used?

Findings are concerns, not blocks — the human reviewer decides what to do with them.

value-audit · 20260713T121549Z

@tangletools

Copy link
Copy Markdown
Contributor

✅ No Blockers — 41d09bcc

Review health 100/100 · Reviewer score 95/100 · Confidence 65/100 · 0 findings (none)

glm: Correctness 95 · Security 95 · Testing 95 · Architecture 95

Reviewer score is advisory once the run is complete and the verdict has no blockers.

Full multi-shot audit completed 1/1 planned shots over 1 changed files. Global verifier still owns final merge decision.

No findings.


tangletools · 2026-07-13T12:17:06Z · trace

@tangletools tangletools left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Clean — 41d09bcc

Full multi-shot audit completed 1/1 planned shots over 1 changed files. Global verifier still owns final merge decision.

Full immutable report for this review: trace

Summary comment for this run: full summary


tangletools · 2026-07-13T12:17:06Z · immutable trace

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update Rust code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant