Skip to content

Replace bincode dependency: crate is unmaintained (poison-pill 3.0.0 release) #377

Description

@Mec-iS

Background

The bincode crate has been abandoned following a doxxing and harassment incident against its maintainer. A final 3.0.0 release was published to crates.io whose entire source is:

compile_error!("https://xkcd.com/2347/");

This intentionally breaks any project that upgrades to (or is bumped to) 3.0.0 — as seen in Dependabot PR for bincode-3.0.0. The crates.io page now reads:

Bincode is now unmaintained. Due to a doxxing and harassment incident, development on bincode has ceased. No further releases will be published on crates.io.

Current Impact

  • Dependabot automatically opened a PR bumping bincode to 3.0.0, which fails to compile entirely.
  • The serde feature test blocks in the following files are affected:
    • src/tree/decision_tree_regressor.rs
    • src/ensemble/random_forest_classifier.rs
    • src/ensemble/random_forest_regressor.rs

Proposed Solution

We should migrate away from bincode to an actively maintained alternative. The bincode maintainer themselves suggested the following options:

Crate Notes
wincode Drop-in bincode-compatible alternative
postcard Similar in spirit to bincode, well-maintained, used in embedded/no_std contexts
rkyv Zero-copy deserialization; excellent for intra-program message passing use cases like smartcore's serde tests

For smartcore's use case (serializing/deserializing trained models in tests), postcard or rkyv are likely the best fits. wincode is the lowest-friction migration if a drop-in replacement is preferred.

Short-term Workaround

Pin bincode back to 1.3.3 in Cargo.toml (the last stable, working release) while the migration is evaluated:

[dev-dependencies]
bincode = "=1.3.3"

Next Steps

  • Decide on replacement crate
  • Update Cargo.toml [dev-dependencies]
  • Update serde test blocks in all three affected files
  • Ensure wasm32 target continues to work (--target wasm32-unknown-unknown --all-features)

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency filehelp wantedExtra attention is needed

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions