chore: replace deprecated serde_yaml v0.9.28 with serde_yaml_ng v0.10.0

[Sachin-Bhat]

Hi folks,

Just a small PR. Updated the serde_yaml crate to a maintained fork serde_yaml_ng see fixes #3164

[Enselic]

If we switch crate it must be after there is broad consensus on what to use instead. This crate is nowhere near that level of adoption.

[Sachin-Bhat]

Hi @Enselic, thanks for the review! I completely understand the hesitation currently. We can always migrate when the consensus is reached. In the meantime, I would leave a few links here:

1. https://rustsec.org/advisories/RUSTSEC-2025-0068.html (This discusses two popular alternatives)
2. Migrate to libyaml-safer acatton/serde-yaml-ng#5 (migration to libyaml-safer)

[MuntasirSZN]

Isn't saphyr the best one here?

[Sachin-Bhat]

I could change it to use serde-saphyr (ref) but the number of downloads are still few.

[MuntasirSZN]

Regardless, its the only safest (no unsafe) pure rust yaml implementation, thats still maintained well. See readme of

https://github.com/bourumir-wyngs/serde-yaml-bw

To know the weird status of yaml in rust.

[Sachin-Bhat]

Yep, I did go through it as I was looking at the alternatives, if consensus is reached, I could go ahead with the change. @Enselic, would it be okay if we switch to the serde-saphyr implementation instead?

[MuntasirSZN]

Also serde docs.rs page recommends serde_yaml, which is weird. Because of this, adoption is a bit slow. (One needs to go through the rabbithole).