Unfortunately the finance analogy is sufficiently outside my wheelhouse as to be indecipherable to me. (Analogies are helpful to add intuition but they shouldn’t replace the description of the actual thing).
The problem is not just the analogy but the names were changed to protect the guilty parties adding further obfuscation. Though the links are correct and you can follow the bouncing ball a little easier replacing the fake names in the article with the real names from the links:
stuff -> insta
learned-rust-this-way -> yaml-rust
to default/defaulted -> serde-yaml
As I read it: insta was depending on yaml-rust. RUSTSEC issued an advisory against yaml-rust. Some shade is thrown on yaml-rust for being unmaintained and basically a student project of someone learning the language for the first time, adding to the irony/brittleness of its unmaintained (though still working) state and now the RUSTSEC callout. In insta trying to switch to some alternative to yaml-rust the next most common library serde-yaml preemptively announced its unmaintained status. So insta just vendored yaml-rust and called it a day, which currently works to remove the RUSTSEC complaints but doesn't fix the long term maintenance problem.
