chore: release

[frol]

🤖 New release

• borsh: 0.11.0 -> 1.0.0-alpha.1
• borsh-derive: 0.11.0 -> 1.0.0-alpha.1
• borsh-derive-internal: 0.11.0 -> 1.0.0-alpha.1
• borsh-schema-derive-internal: 0.11.0 -> 1.0.0-alpha.1

Changelog

borsh

1.0.0-alpha.1 - 2023-08-07

Bug Fixes

• Unused fields warn, fields for inner structs of derived BorshSchema method (fix: unused fields warn, fields for inner structs of derived BorshSch… #172)
• #[borsh_skip] on field of struct enum variant (BorshSerialize) (fix: #[borsh_skip] on field of struct enum variant (BorshSerialize) #174)
• Filter out foreign attributes in BorshSchema derive for enum (fix: filter out foreign attributes in BorshSchema derive for enum #177)

Documentation

• Create a brief documentation of crate's features (doc: create a brief documentation of crate's features #159)
• Mention schema feature in doc.rs (doc: mention schema feature in doc.rs #166)

Features

• Forbid Vectors of Zero-sized types from de-/serialization to resolve the RUSTSEC-2023-0033 (Forbid Zero-sized types from deserialization #145)
• Add top-level from_slice and from_reader helper functions to make the API nicer (Add top-level from_slice #142)
• [breaking] Add #[borsh(use_discriminant = <bool>)] attribute that changes enum discriminant de- and serialization behavior
• [breaking] Remove BinaryHeap support (feat!: remove BinaryHeap support #161)
• Sets/maps benches for reference point (feat: sets/maps benches for reference point #164)
• Enforce canonicity on HashSet/BTreeSet/HashMap/BTreeMap (feat: enforce canonicity on HashSet/BTreeSet/HashMap/BTreeMap #162)
• [breaking] Support recursive structures! (feat: derive * for recursive structures #178)
  • BorshSerialize, BorshDeserialize, BorshSchema derives may break
  • derives may require patching bounds with #[borsh(bound(..))] / #[borsh(schema(params = ...))]
• Bounds for ser/de derive and schema_params for schema derive attributes (feat: bounds for ser/de derive and schema_params for schema derive attributes #180)
• Derive attribute for 3rd party structs/enums as fields (feat: derive attribute for 3rd party structs/enums as fields #182)

Miscellaneous Tasks

• Bump proc-macro-crate versions (bump proc-macro-crate versions  #149)
• Add tests job for MSRV (1.65.0) (chore(ci): add tests job for MSRV (1.65.0) #151)
• [breaking] Hide maybestd from public interface, despite it being technically available by new name of __maybestd (chore(doc)!: hide maybestd from public interface #153)
• Fix broken reference-style link in minimum supported version badge (chore: fix broken reference-style link in minimum supported version b… #154)
• Remove a bunch of clippy-related TODOs (uninlined_format_args) (chore: remove a bunch of clippy-related TODOs (uninlined_format_args) #156)
• Simpler bounds on Rc/Arc impls (chore: simpler bounds on Rc/Arc impls #167)
• Invited @dj8yfo to CODEOWNERS (chore: Invited @dj8yfo to CODEOWNERS #169)
• [breaking] Replace ErrorKind::InvalidInput with ErrorKind::InvalidData as per original std::io meaning (chore: replace ErrorKind as per original std::io meaning #170)

Refactor

• [breaking] Make hashbrown dependency optional, hashbrown feature (refactor: make hashbrown dependency optional, hashbrown feature #155)
• [breaking] BorshSchemaContainer fields non-pub, HashMap -> BTreeMap in schema everywhere (chore: BorshSchemaContainer fields non-pub, HashMap -> BTreeMap in schema everywhere #165)
• [breaking] Move derive under #[cfg(feature = "derive")] (refactor: move derive under #[cfg(feature = "derive")] #168)
• Introduce __private module with macro runtime (refactor: introduce __private module with macro runtime #171)
• [breaking] Unsplit and removal of *-internal crates (refactor!: Unsplit and removal of *-internal crates #185)
  • borsh-schema-derive-internal and borsh-derive-internal crates won't be published anymore

Testing

• Add insta snapshots to borsh/tests (test: add insta snapshots to borsh/tests #157)
• insta tests for prettified TokenStream-s in borsh*derive-internal (test: insta tests for prettified TokenStream-s in `borsh*derive-i… #176)

Ci

• Only release-plz after other checks pass

---

This PR was generated with release-plz and semi-automatically with @dj8yfo.

[frol]

I am hesitant to cut this release now as it resolves the RUSTSEC issue which might trigger many projects to upgrade borsh to 0.11.1 version and they might fall into the trap of a more severe issue: #138 (comment) (some solution is needed)

cc @mina86 @iho

P.S. It is weird that release-plz suggests cutting 0.12.0 instead of 0.11.1 and dumps too many records to the CHANGELOG (again). These should also be investigated.

[maxammann]

I am hesitant to cut this release now as it resolves the RUSTSEC issue which might trigger many projects to upgrade borsh to 0.11.1

It is possible to delay resolving the RustSec issue. It is a manual process after all.

But I'm not sure if I understand why we would want to delay the release of #138

[mina86]

But I'm not sure if I understand why we would want to delay the release of #138

#138 changes serialisation format and updating to borsh release with it can silently break the code.

The usual solution for security fix would be to have a point releases for affected versions.

I have a rather brutal opinion of #138. I believe it should have never been merged and that at this point the best course of action is to revert it and yank 0.11 release. Then, this security fix can be cherry picked and released as 0.10.1.

[frol]

@mina86 I requested to yank 0.11.0 version of borsh from Crates.io before it is too late. But I would like to explore the way to implement a proper solution to #138, that does not leave us in a space where we need to carry "bugs" forever.

[mina86]

One option is to add #[borsh(use_discriminant = true|false)] annotation and break compilation if it’s not present. Then, once no one is using releases older than 0.12 switch the default and stop breaking compilation.

[frol]

@dj8yfo Your updates to the PR look great, and I only want to ask you to update it with the information about the following ones:

• (breaking?) refactor!: Unsplit and removal of *-internal crates #185 (just merged)
• (breaking) Add #[borsh(use_discriminant = <bool>)] that change enum discriminant de- and serialization behavior #148 #183:
  • Introduce a required #[borsh(use_discriminant = true|false)] enum attribute when discriminants are specified #147 - has even more context

P.S. And resolve the merge conflict 🙏

[maxammann]

I'll take care of the RUSTSEC issue as soon as this gets stable :)