fix: Replace `serde_yml` with `serde_yaml_ng` to fix RUSTSEC-2025-0067/0068 (#11755)
## Summary
- Replaces the `serde_yml` (0.0.12) dependency with `serde_yaml_ng`
(0.10.0) across the workspace
- Removes transitive dependency on `libyml` (0.0.5), which is flagged as
unsound
## Why
`serde_yml` and its transitive dependency `libyml` are flagged by two
RustSec advisories:
- **RUSTSEC-2025-0067**: `serde_yml` is unmaintained
- **RUSTSEC-2025-0068**: `libyml` contains unsound code
`serde_yaml_ng` is the maintained fork (by the original `serde_yaml`
author's community) and provides an API-compatible replacement. It uses
`unsafe-libyaml` instead of the unsound `libyml`.
## What changed
Workspace `Cargo.toml` and four crate `Cargo.toml` files
(`turborepo-shim`, `turborepo-repository`, `turborepo-lockfiles`,
`turborepo-lib`) updated to depend on `serde_yaml_ng` instead of
`serde_yml`. Seven Rust source files updated to use `serde_yaml_ng::`
paths. The API surface (`from_str`, `from_slice`, `from_reader`,
`to_string`, `Value`, `Error`) is identical.
## Testing
- `cargo check` passes for all four affected crates
- `cargo test -p turborepo-lockfiles` — all 303 tests pass
- `cargo audit` confirms RUSTSEC-2025-0067 and RUSTSEC-2025-0068 are
resolved
Resolves TURBO-5263
turbo
15f1da2d - fix: Replace `serde_yml` with `serde_yaml_ng` to fix RUSTSEC-2025-0067/0068 (#11755)
