Remove support for serde with pre-built binaries

This is a potential security vulnerability, particularly as the binaries
have not yet been reproduced.

cc serde-rs/serde#2538

Author: jhpratt

CHANGELOG.md

@@ -6,6 +6,15 @@ The format is based on [Keep a Changelog]. This project adheres to [Semantic Ver
 
 ---
 
+## 0.3.26 [2023-08-18]
+
+This release contains only a single change. `serde` is required to be a version prior to 1.0.171.
+This is due to the decision by the maintainer of `serde` to include pre-built binaries that are
+executed without the end user's knowledge. As of the time of publishing, the included binary has not
+even been reproduced. This is a security risk, and the `time` project strongly opposes this
+decision. While this may break some users' builds due to conflicting versions, it is a necessary
+step to ensure the security.
+
 ## 0.3.25 [2023-08-02]
 
 ### Fixed

Cargo.toml

@@ -5,7 +5,7 @@ resolver = "2"
 
 [workspace.dependencies]
 time-core = { path = "time-core", version = "=0.1.1" }
-time-macros = { path = "time-macros", version = "=0.2.11" }
+time-macros = { path = "time-macros", version = "=0.2.12" }
 
 criterion = { version = "0.5.1", default-features = false }
 deranged = { version = "0.3.7", default-features = false }
@@ -16,7 +16,8 @@ num_threads = "0.1.2"
 quickcheck = { version = "1.0.3", default-features = false }
 quickcheck_macros = "1.0.0"
 rand = { version = "0.8.4", default-features = false }
-serde = { version = "1.0.126", default-features = false }
+# <= 1.0.171 due to serde-rs/serde#2538
+serde = { version = ">= 1.0.126, <= 1.0.171", default-features = false }
 serde_json = "1.0.68"
 serde_test = "1.0.126"
 trybuild = "1.0.68"

time-macros/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "time-macros"
-version = "0.2.11"
+version = "0.2.12"
 authors = ["Jacob Pratt <[email protected]>", "Time contributors"]
 edition = "2021"
 rust-version = "1.67.0"

time/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "time"
-version = "0.3.25"
+version = "0.3.26"
 authors = ["Jacob Pratt <[email protected]>", "Time contributors"]
 edition = "2021"
 rust-version = "1.67.0"