Update nix dependency to avoid linking vulnerable version

[skrap]

The nix crate has a vulnerability in the 0.16 version which is a dependency of this crate.

https://rustsec.org/advisories/RUSTSEC-2021-0119

Since the crate dependency is specified as "0.16" without an operator, cargo treats that as a carat requirement, which means that only 0.16.X will be acceptable. (An update is allowed if the new version number does not modify the left-most non-zero digit in the major, minor, patch grouping, per the carat requirement cargo docs.)

My request is that you switch to an explicit >= operator, like nix = ">=0.16". I think this will allow current patched versions of nix to be used with this crate.

Thanks!

[fpagliughi]

Oh, jeez, I just updated nix support on a dozen different projects and forgot to do it on this one before the new release(s).

Yeah, 0.16 is ancient at this point! I don't think I would want to do ">=0.16", as that would allow it to select newer versions with breaking changes. It could break this crate. If I understand how ">=" works with pre-v1.0 semver crates.

But certainly I can update the dependency to the latest (0.23?) version, test, and release that.

[skrap]

That would be great! Thank you :)

[fpagliughi]

Ha, yeah, it broke the build. Quick fix, though, which is up in the develop branch.

I'll check the other dependencies while I'm at it, test for a few days, then publish a new version. Feel free to re-open if you see any problems with the update.