Serde, a popular Rust (de)serialization project, has decided to ship its serde_derive macro as a precompiled binary. This has generated a fair amount of concern among some developers who highlight the future legal and technical issues this may pose, along with a potential for supply chain attacks.
The developer has agreed to remove the precomputed binary in v1.0.184:
https://github.com/serde-rs/serde/releases/tag/v1.0.184
Awesome!
Gotta figure a way to avoid the specific versions but I’m glad they relented .