deps(cargo): bump serde_yml from 0.0.12 to 0.0.13 in the serde group across 1 directory

[dependabot]

Bumps the serde group with 1 update in the / directory: serde_yml.

Updates serde_yml from 0.0.12 to 0.0.13

Release notes

Sourced from serde_yml's releases.

v0.0.13 — Final release (deprecation shim, RUSTSEC-2025-0068 fixed)

⚠️ Final release — serde_yml is deprecated

This is the final maintenance release of serde_yml. The crate is no longer under active development. 0.0.13 is a thin compatibility shim that lets existing call sites keep compiling while you migrate to one of the maintained alternatives listed below.

If you are reading this because cargo audit flagged your build, upgrading to 0.0.13 resolves RUSTSEC-2025-0068 structurally — see Security below.

---

TL;DR

  # Cargo.toml
- serde_yml = "0.0"
+ serde_yml = "0.0.13"

Your existing call sites compile unchanged. The compiler now emits a #[deprecated] warning at every use serde_yml::* import pointing at the migration guide. The C-FFI libyml parser is no longer in your dependency graph.

When you're ready to fully migrate, see the migration guide.

---

Security: RUSTSEC-2025-0068 fixed

RUSTSEC-2025-0068 (also GHSA-hhw4-xg65-fp2x) flagged every serde_yml ≤ 0.0.12 as unsound — the serde_yml::ser::Serializer.emitter field could cause a segmentation fault via the C-FFI libyaml parser.

0.0.13 removes the vulnerable surface entirely:

• The C-FFI libyml dependency is gone from the graph.
• serde_yml::ser::Serializer is now a re-export of a pure-Rust unit struct (pub struct Serializer;) with no emitter field — code that referenced .emitter no longer compiles, which is the desired outcome.
• The backend (noyalib) enforces #![forbid(unsafe_code)] workspace-wide.

Verification:

cargo update -p serde_yml --precise 0.0.13
cargo tree -p serde_yml | grep libyml   # → no output

The RustSec advisory database PR adding patched = ["^0.0.13"] is pending review at rustsec/advisory-db#2915. Until it merges, cargo audit may still warn against 0.0.13 — the 0.0.13 release itself ships .cargo/audit.toml + deny.toml ignore entries so the self-referential warning doesn't block your own CI.

---

Maintained alternatives

Three crates are realistic destinations. Pick the one that fits.

Crate	Migration shape	Best fit

... (truncated)

Commits

• 2bdacd5 ci: commit Cargo.lock for reproducible audits
• 57983ac ci: ignore RUSTSEC-2025-0068 in cargo-audit / cargo-deny
• c236ddd style: apply rustfmt (max_width=72)
• 795e112 ci: include master in push triggers (default branch is master)
• 5497552 Deprecate serde_yml — 0.0.13 shim forwarding to noyalib (#52)
• ab3c49e Merge pull request #34 from horacimacias/master
• c7ba7ac Merge pull request #35 from lucasvr/lucas/anchors
• 140d00b Merge pull request #38 from nc7s/fix-cstr-pointer-type
• a19e5c2 Merge pull request #18 from Mingun/remove-duplicated-clone
• 6ffe205 fix: hard coded CStr pointer type, use ffi::c_char
• Additional commits viewable in compare view

[dependabot]

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.