Update serde_yml requirement from 0.0.12 to 0.0.13

[dependabot]

Updates the requirements on serde_yml to permit the latest version.

Release notes

Sourced from serde_yml's releases.

v0.0.13 — Final release (deprecation shim, RUSTSEC-2025-0068 fixed)

⚠️ Final release — serde_yml is deprecated

This is the final maintenance release of serde_yml. The crate is no longer under active development. 0.0.13 is a thin compatibility shim that lets existing call sites keep compiling while you migrate to one of the maintained alternatives listed below.

If you are reading this because cargo audit flagged your build, upgrading to 0.0.13 resolves RUSTSEC-2025-0068 structurally — see Security below.

---

TL;DR

  # Cargo.toml
- serde_yml = "0.0"
+ serde_yml = "0.0.13"

Your existing call sites compile unchanged. The compiler now emits a #[deprecated] warning at every use serde_yml::* import pointing at the migration guide. The C-FFI libyml parser is no longer in your dependency graph.

When you're ready to fully migrate, see the migration guide.

---

Security: RUSTSEC-2025-0068 fixed

RUSTSEC-2025-0068 (also GHSA-hhw4-xg65-fp2x) flagged every serde_yml ≤ 0.0.12 as unsound — the serde_yml::ser::Serializer.emitter field could cause a segmentation fault via the C-FFI libyaml parser.

0.0.13 removes the vulnerable surface entirely:

• The C-FFI libyml dependency is gone from the graph.
• serde_yml::ser::Serializer is now a re-export of a pure-Rust unit struct (pub struct Serializer;) with no emitter field — code that referenced .emitter no longer compiles, which is the desired outcome.
• The backend (noyalib) enforces #![forbid(unsafe_code)] workspace-wide.

Verification:

cargo update -p serde_yml --precise 0.0.13
cargo tree -p serde_yml | grep libyml   # → no output

The RustSec advisory database PR adding patched = ["^0.0.13"] is pending review at rustsec/advisory-db#2915. Until it merges, cargo audit may still warn against 0.0.13 — the 0.0.13 release itself ships .cargo/audit.toml + deny.toml ignore entries so the self-referential warning doesn't block your own CI.

---

Maintained alternatives

Three crates are realistic destinations. Pick the one that fits.

Crate	Migration shape	Best fit

... (truncated)

Commits

• 2bdacd5 ci: commit Cargo.lock for reproducible audits
• 57983ac ci: ignore RUSTSEC-2025-0068 in cargo-audit / cargo-deny
• c236ddd style: apply rustfmt (max_width=72)
• 795e112 ci: include master in push triggers (default branch is master)
• 5497552 Deprecate serde_yml — 0.0.13 shim forwarding to noyalib (#52)
• ab3c49e Merge pull request #34 from horacimacias/master
• c7ba7ac Merge pull request #35 from lucasvr/lucas/anchors
• 140d00b Merge pull request #38 from nc7s/fix-cstr-pointer-type
• a19e5c2 Merge pull request #18 from Mingun/remove-duplicated-clone
• 6ffe205 fix: hard coded CStr pointer type, use ffi::c_char
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)