Skip to content

Audit serialization trait implementations #1223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
0xZaddyy wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Audit serialization trait implementations #1223

0xZaddyy wants to merge 1 commit into from

Conversation

@0xZaddyy
Copy link
Contributor

@0xZaddyy 0xZaddyy commented Dec 11, 2025

Summary

This PR Audits serialization trait implementations across the codebase to prevent unintentional API exposure and reduce dependencies. This change makes serde serialization optional behind a feature flag rather than mandatory.

Closes #1147

Pull Request Checklist

Please confirm the following before requesting review:

@0xZaddyy
Audit serialization trait implementations
d15022d 
 Remove unintended serde derives from types that shouldn't be serializable by default. Conditionally enable serialization behind feature flag to prevent accidental API exposure through serialization.
@coveralls
Copy link
Collaborator

coveralls commented Dec 11, 2025

Pull Request Test Coverage Report for Build 20133889849

Details

  • 1 of 1 (100.0%) changed or added relevant line in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 83.176%
Totals Coverage Status
Change from base Build 20109603088: 0.0%
Covered Lines: 9665
Relevant Lines: 11620
💛 - Coveralls

@nothingmuch
Copy link
Collaborator

nothingmuch commented Dec 12, 2025
edited
Loading

I don't know about the serde usage in the ffi stuff and how appropriate it is to remove it for those types

Only commenting about the removal and feature gating in the payjoin crate: i don't think a feature flag for this is desirable because:

  • it's one more feature flag, or 2x the feature flag combinations, which are already intractable for us to test
  • serialization is required as part of persistence for correct implementation of the protocol, and not all struct fields are pub

so with the feature disabled the crate couldn't be used to write a safe implementation

so i think this dependence on serde in our public api is actually desirable and intended

@nothingmuch nothingmuch requested review from spacebear21 and removed request for arminsabouri December 12, 2025 01:11
@spacebear21
Copy link
Collaborator

spacebear21 commented Dec 12, 2025

Removing the De/Serialize from payjoin-ffi seems appropriate, they don't do anything there and were probably just copied over unintentionally. Agreed about keeping serde tightly coupled with rust-payjoin for persistence.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spacebear21 spacebear21 Awaiting requested review from spacebear21

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

audit types for unintentional trait implementations

4 participants

@0xZaddyy @coveralls @nothingmuch @spacebear21