chore(deps): bump serde_yaml_bw from 2.5.2 to 2.5.4

[dependabot]

Bumps serde_yaml_bw from 2.5.2 to 2.5.4.

Release notes

Sourced from serde_yaml_bw's releases.

2.5.4 safety hardening release

• YAML parsing and loading have been hardened substantially, especially around malformed/incomplete documents, alias handling, merge-key fallback behavior, directives, and reader-based inputs that previously could over-read or behave poorly on invalid streams.
• Budget enforcement was refactored and strengthened, including better tracking across parser events and additional protection against suspicious alias/anchor patterns.
• Value semantics were tightened for consistency: numeric equality/order behavior was improved (2 vs 2.0), and mapping/value ordering and hashing received regression coverage to keep comparisons consistent.
• Serialization/parsing internals were updated to newer dependency ranges, notably switching to saphyr-parser-bw and widening compatibility for crates like indexmap, regex, and num-traits.
• Test coverage expanded with new regressions for infinite invalid readers, scalar-void handling, mapping ordering, IO edge cases, document limits, and multiple alias/merge corner cases.
• Project maintenance/CI also improved with new GitHub Actions for API compatibility checks and scheduled Miri runs, plus README badges for both workflows. Miri detected a memory leak while processing a specific malicious (crafted) YAML file, which was fixed.

2.5.3 maintenance release

This release switches to

indexmap = ">=2.0, <2.14" # All range tested

It also switches from saphyr-parser to saphyr-parser-bw fork of it that is maintained by the same people as serde-yaml-bw is and contains multiple safety hardenings, continuous security audits, as well as being used as the primary parser for serde-saphyr.

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)