fix: upgrade bincode 1.3 → 2.0 (RUSTSEC-2025-0141)

devonshigaki · devonshigaki · commit e30cd34c6a65 · 2026-04-08T00:12:38.000-07:00
- Update bincode from 1.3.3 to 2.0.1 in all crates
- Migrate API calls to bincode v2:
  - bincode::serialize() → bincode::serde::encode_to_vec()
  - bincode::deserialize() → bincode::serde::decode_from_slice()
- Update error handling for EncodeError/DecodeError
- Add http2 feature to hyper-rustls for compatibility

Fixes RUSTSEC-2025-0141 (bincode unmaintained)
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/libsql-replication/Cargo.toml b/libsql-replication/Cargo.toml
@@ -29,7 +29,7 @@ cbc = "0.1.2"
  
 [dev-dependencies]
 arbitrary = { version = "1.3.0", features = ["derive_arbitrary"] }
-bincode = "1.3.3"
+bincode = { version = "2", features = ["serde"] }
 tempfile = "3.8.0"
 prost-build = "0.13"
 tonic-build = "0.12"
diff --git a/libsql-server/Cargo.toml b/libsql-server/Cargo.toml
@@ -18,7 +18,7 @@ async-trait = "0.1.58"
 axum = { version = "0.7", features = [] }
 axum-extra = { version = "0.9", features = ["query"] }
 base64 = "0.21.0"
-bincode = "1.3.3"
+bincode = { version = "2", features = ["serde"] }
 bottomless = { version = "0", path = "../bottomless", features = ["libsql_linked_statically"] }
 bytes = { version = "1.2.1", features = ["serde"] }
 bytesize = { version = "1.2.0", features = ["serde"] }
diff --git a/libsql-server/src/error.rs b/libsql-server/src/error.rs
@@ -244,8 +244,14 @@ impl From<tokio::sync::oneshot::error::RecvError> for Error {
     }
 }
 
-impl From<bincode::Error> for Error {
-    fn from(other: bincode::Error) -> Self {
+impl From<bincode::error::EncodeError> for Error {
+    fn from(other: bincode::error::EncodeError) -> Self {
+        Self::Internal(other.to_string())
+    }
+}
+
+impl From<bincode::error::DecodeError> for Error {
+    fn from(other: bincode::error::DecodeError) -> Self {
         Self::Internal(other.to_string())
     }
 }
diff --git a/libsql-server/src/rpc/proxy.rs b/libsql-server/src/rpc/proxy.rs
@@ -97,21 +97,23 @@ pub mod rpc {
         fn try_from(value: crate::query::Params) -> Result<Self, Self::Error> {
             match value {
                 crate::query::Params::Named(params) => {
+                    let config = bincode::config::legacy();
                     let iter = params.into_iter().map(|(k, v)| -> Result<_, SqldError> {
                         let v = Value {
-                            data: bincode::serialize(&v)?,
+                            data: bincode::serde::encode_to_vec(&v, config)?,
                         };
                         Ok((k, v))
                     });
                     let (names, values) = itertools::process_results(iter, |i| i.unzip())?;
                     Ok(Self::Named(Named { names, values }))
                 }
                 crate::query::Params::Positional(params) => {
+                    let config = bincode::config::legacy();
                     let values = params
                         .iter()
                         .map(|v| {
                             Ok(Value {
-                                data: bincode::serialize(&v)?,
+                                data: bincode::serde::encode_to_vec(&v, config)?,
                             })
                         })
                         .collect::<Result<Vec<_>, SqldError>>()?;
@@ -127,15 +129,23 @@ pub mod rpc {
         fn try_from(value: query::Params) -> Result<Self, Self::Error> {
             match value {
                 query::Params::Positional(pos) => {
+                    let config = bincode::config::legacy();
                     let params = pos
                         .values
                         .into_iter()
-                        .map(|v| bincode::deserialize(&v.data).map_err(|e| e.into()))
+                        .map(|v| -> Result<crate::query::Value, SqldError> {
+                            let (decoded, _) = bincode::serde::decode_from_slice(&v.data, config)?;
+                            Ok(decoded)
+                        })
                         .collect::<Result<Vec<_>, SqldError>>()?;
                     Ok(Self::Positional(params))
                 }
                 query::Params::Named(named) => {
-                    let values = named.values.iter().map(|v| bincode::deserialize(&v.data));
+                    let config = bincode::config::legacy();
+                    let values = named.values.iter().map(|v| -> Result<crate::query::Value, SqldError> {
+                        let (decoded, _) = bincode::serde::decode_from_slice(&v.data, config)?;
+                        Ok(decoded)
+                    });
                     let params = itertools::process_results(values, |values| {
                         named.names.into_iter().zip(values).collect()
                     })?;
@@ -455,8 +465,10 @@ impl QueryResultBuilder for ExecuteResultsBuilder {
     }
 
     fn add_row_value(&mut self, v: ValueRef) -> Result<(), QueryResultBuilderError> {
-        let data = bincode::serialize(
+        let config = bincode::config::legacy();
+        let data = bincode::serde::encode_to_vec(
             &crate::query::Value::try_from(v).map_err(QueryResultBuilderError::from_any)?,
+            config,
         )
         .map_err(QueryResultBuilderError::from_any)?;
 
diff --git a/libsql/Cargo.toml b/libsql/Cargo.toml
@@ -18,7 +18,7 @@ tokio = { version = "1.29.1", features = ["sync"], optional = true }
 tokio-util = { version = "0.7", features = ["io-util", "codec"], optional = true }
 parking_lot = { version = "0.12.1", optional = true }
 hyper = { version = "1.0", features = ["client", "http1", "http2"], optional = true }
-hyper-rustls = { version = "0.27", features = ["webpki-roots"], optional = true }
+hyper-rustls = { version = "0.27", features = ["webpki-roots", "http2"], optional = true }
 http-body-util = { version = "0.1", optional = true }
 hyper-util = { version = "0.1", features = ["client", "tokio"], optional = true }
 base64 = { version = "0.21", optional = true }
@@ -29,7 +29,7 @@ bitflags = { version = "2.4.0", optional = true }
 tower = { workspace = true, features = ["util"], optional = true }
 worker = { version = "0.6.7", optional = true }
 
-bincode = { version = "1", optional = true }
+bincode = { version = "2", optional = true, features = ["serde"] }
 anyhow = { version = "1.0.71", optional = true }
 bytes = { version = "1.4.0", features = ["serde"], optional = true }
 uuid = { version = "1.4.0", features = ["v4", "serde"], optional = true }
diff --git a/libsql/src/errors.rs b/libsql/src/errors.rs
@@ -112,8 +112,15 @@ pub fn sqlite_errmsg_to_string(errmsg: *const std::ffi::c_char) -> String {
 }
 
 #[cfg(feature = "replication")]
-impl From<bincode::Error> for Error {
-    fn from(e: bincode::Error) -> Self {
-        Error::Bincode(e.into())
+impl From<bincode::error::EncodeError> for Error {
+    fn from(e: bincode::error::EncodeError) -> Self {
+        Error::Bincode(e.to_string().into())
+    }
+}
+
+#[cfg(feature = "replication")]
+impl From<bincode::error::DecodeError> for Error {
+    fn from(e: bincode::error::DecodeError) -> Self {
+        Error::Bincode(e.to_string().into())
     }
 }
diff --git a/libsql/src/params.rs b/libsql/src/params.rs
@@ -289,18 +289,20 @@ impl From<Params> for libsql_replication::rpc::proxy::query::Params {
         match params {
             Params::None => proxy::query::Params::Positional(proxy::Positional::default()),
             Params::Positional(values) => {
+                let config = bincode::config::legacy();
                 let values = values
                     .iter()
-                    .map(|v| bincode::serialize(v).unwrap())
+                    .map(|v| bincode::serde::encode_to_vec(v, config).unwrap())
                     .map(|data| proxy::Value { data })
                     .collect::<Vec<_>>();
                 proxy::query::Params::Positional(proxy::Positional { values })
             }
             Params::Named(values) => {
+                let config = bincode::config::legacy();
                 let (names, values) = values
                     .into_iter()
                     .map(|(name, value)| {
-                        let data = bincode::serialize(&value).unwrap();
+                        let data = bincode::serde::encode_to_vec(&value, config).unwrap();
                         let value = proxy::Value { data };
                         (name, value)
                     })
diff --git a/libsql/src/value.rs b/libsql/src/value.rs
@@ -458,8 +458,11 @@ impl TryFrom<&libsql_replication::rpc::proxy::Value> for Value {
             Blob(Vec<u8>),
         }
 
+        let config = bincode::config::legacy();
+        let (decoded, _) = bincode::serde::decode_from_slice::<BincodeValue, _>(&value.data[..], config)
+            .map_err(Error::from)?;
         Ok(
-            match bincode::deserialize::<'_, BincodeValue>(&value.data[..]).map_err(Error::from)? {
+            match decoded {
                 BincodeValue::Null => Value::Null,
                 BincodeValue::Integer(i) => Value::Integer(i),
                 BincodeValue::Real(x) => Value::Real(x),

Original file line number	Diff line number	Diff line change
`@@ -244,8 +244,14 @@ impl From<tokio::sync::oneshot::error::RecvError> for Error {`
`244`	`244`	`}`
`245`	`245`	`}`
`246`	`246`
`247`		`-impl From<bincode::Error> for Error {`
`248`		`- fn from(other: bincode::Error) -> Self {`
	`247`	`+impl From<bincode::error::EncodeError> for Error {`
	`248`	`+ fn from(other: bincode::error::EncodeError) -> Self {`
	`249`	`+ Self::Internal(other.to_string())`
	`250`	`+ }`
	`251`	`+}`
	`252`	`+`
	`253`	`+impl From<bincode::error::DecodeError> for Error {`
	`254`	`+ fn from(other: bincode::error::DecodeError) -> Self {`
`249`	`255`	`Self::Internal(other.to_string())`
`250`	`256`	`}`
`251`	`257`	`}`
Original file line number	Diff line number	Diff line change
`@@ -112,8 +112,15 @@ pub fn sqlite_errmsg_to_string(errmsg: *const std::ffi::c_char) -> String {`
`112`	`112`	`}`
`113`	`113`
`114`	`114`	`#[cfg(feature = "replication")]`
`115`		`-impl From<bincode::Error> for Error {`
`116`		`- fn from(e: bincode::Error) -> Self {`
`117`		`- Error::Bincode(e.into())`
	`115`	`+impl From<bincode::error::EncodeError> for Error {`
	`116`	`+ fn from(e: bincode::error::EncodeError) -> Self {`
	`117`	`+ Error::Bincode(e.to_string().into())`
	`118`	`+ }`
	`119`	`+}`
	`120`	`+`
	`121`	`+#[cfg(feature = "replication")]`
	`122`	`+impl From<bincode::error::DecodeError> for Error {`
	`123`	`+ fn from(e: bincode::error::DecodeError) -> Self {`
	`124`	`+ Error::Bincode(e.to_string().into())`
`118`	`125`	`}`
`119`	`126`	`}`