Please update dependencies to non-vulnerable versions

[antifuchs]

Currently, running cargo deny check advisories on a rust project that uses the starlark crate results in errors about RUSTSEC advisories, both of them fixed by now:

• https://github.com/nix-rust/nix/issues/1541 via rustyline 0.7.1 (the current 0.9 doesn't depend on the vulnerable nix version)
• https://github.com/maciejhirsz/beef/issues/37 via logos-derive via logos v0.11.4 (current version 0.12 doesn't depend on the vulnerable version of beef).

Would it be possible to bump those versions?

[ndmitchell]

Thanks for putting together that list. Happily, wen can upgrade to the latest version of both those packages without any code changes, so I've shoved up an internal diff to do so (it will be mirrored open source as soon as someone accepts it, sometime Monday probably). Would it be useful to get a release with those changes included?

I would if this should go into our CI? Annoying that it requires installing cargo-deny though, would be much easier if it was a standard part of Cargo.

[antifuchs]

Thanks for pushing that changeset in - look forward to it landing here. A release when it lands would be amazing - I'm in the process of porting to starlark 0.7 myself (:

Not sure if your CI uses github actions internally (my guess is no), but if running cargo check on the OSS repo is sufficient for you, I use cargo deny in governor here, using the github action published by EmbarkStudios: https://github.com/antifuchs/governor/blob/master/.github/workflows/ci_push.yml#L53-L60. That has a cached install of cargo-deny, isn't tedious it doesn't take a long time to run.

[ndmitchell]

Cool, will release once it lands (I think it's probably a 0.8 as there are probably some minor breaking changes, but I'll double check).

Running cargo check in the OSS repo seems good enough, that action looks pretty good, so I'll take a go at integrating it.

[ndmitchell]

Fixed in a74f58b19494fb3a02ccdcfda4a5066d9291aebc and a release of 0.8 with the changes.

[ndmitchell]

Tests added to CI in 959865fdc4bbcef69c78e8bd8daa7736b3121985