Yaml has security issue

[yaa110]

ID:       RUSTSEC-2018-0006
Crate:    yaml-rust
Version:  0.3.5
Date:     2018-09-17
URL:      https://rustsec.org/advisories/RUSTSEC-2018-0006
Title:    Uncontrolled recursion leads to abort in deserialization
Solution:  upgrade to >= 0.4.1
Dependency tree: 
yaml-rust 0.3.5
└── clap 2.33.0

[pksunkara]

Duplicate of #1569

[CreepySkeleton]

Yes, we know about it. But it's not a security issue because

1. yaml-rust ever receives only trusted input from clap. Those .yml files are included via include_str! at compile time. There's simply no avenue of attack to exploit.
2. As much as we would be willing to simply bump the version, it wouldn't be backward compatible because some types from yaml-rust occur in clap 2.x public API. The old dependency is 0.3, the fixed one is 0.4. Bumping it would break old code for no real benefit (see 1). For the record: this is fixed in master, clap 0.3 will not be depending on the vulnerable version.

That said, this is a false positive. @yaa110 would it be possible to mention this comment on https://rustsec.org/?

[yaa110]

@CreepySkeleton The problem is that the CI (cargo audit) is failed due to security issue of yaml-rust.