From 500f8e4517cb89f0aa80087130ed2f8b8349f162 Mon Sep 17 00:00:00 2001
From: Jacob Pratt <jacob@jhpratt.dev>
Date: Fri, 18 Aug 2023 19:12:10 -0400
Subject: [PATCH] Remove support for serde with pre-built binaries

This is a potential security vulnerability, particularly as the binaries
have not yet been reproduced.

cc serde-rs/serde#2538
---
 CHANGELOG.md           | 9 +++++++++
 Cargo.toml             | 5 +++--
 time-macros/Cargo.toml | 2 +-
 time/Cargo.toml        | 2 +-
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 933f44fa3..2c067e422 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,15 @@ The format is based on [Keep a Changelog]. This project adheres to [Semantic Ver
 
 ---
 
+## 0.3.26 [2023-08-18]
+
+This release contains only a single change. `serde` is required to be a version prior to 1.0.171.
+This is due to the decision by the maintainer of `serde` to include pre-built binaries that are
+executed without the end user's knowledge. As of the time of publishing, the included binary has not
+even been reproduced. This is a security risk, and the `time` project strongly opposes this
+decision. While this may break some users' builds due to conflicting versions, it is a necessary
+step to ensure the security.
+
 ## 0.3.25 [2023-08-02]
 
 ### Fixed
diff --git a/Cargo.toml b/Cargo.toml
index d1dd8d390..a46e7a123 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -5,7 +5,7 @@ resolver = "2"
 
 [workspace.dependencies]
 time-core = { path = "time-core", version = "=0.1.1" }
-time-macros = { path = "time-macros", version = "=0.2.11" }
+time-macros = { path = "time-macros", version = "=0.2.12" }
 
 criterion = { version = "0.5.1", default-features = false }
 deranged = { version = "0.3.7", default-features = false }
@@ -16,7 +16,8 @@ num_threads = "0.1.2"
 quickcheck = { version = "1.0.3", default-features = false }
 quickcheck_macros = "1.0.0"
 rand = { version = "0.8.4", default-features = false }
-serde = { version = "1.0.126", default-features = false }
+# <= 1.0.171 due to serde-rs/serde#2538
+serde = { version = ">= 1.0.126, <= 1.0.171", default-features = false }
 serde_json = "1.0.68"
 serde_test = "1.0.126"
 trybuild = "1.0.68"
diff --git a/time-macros/Cargo.toml b/time-macros/Cargo.toml
index b1742087a..a234db32a 100644
--- a/time-macros/Cargo.toml
+++ b/time-macros/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "time-macros"
-version = "0.2.11"
+version = "0.2.12"
 authors = ["Jacob Pratt <open-source@jhpratt.dev>", "Time contributors"]
 edition = "2021"
 rust-version = "1.67.0"
diff --git a/time/Cargo.toml b/time/Cargo.toml
index 4e5bb4a54..e4f597c70 100644
--- a/time/Cargo.toml
+++ b/time/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "time"
-version = "0.3.25"
+version = "0.3.26"
 authors = ["Jacob Pratt <open-source@jhpratt.dev>", "Time contributors"]
 edition = "2021"
 rust-version = "1.67.0"