[chore] Request Pull Request to cid crate to update dependency for multihash 0.18.1

[mattheworris]

The cid and multihash crates work together to evaluate Content Identifiers for IPFS. multihash is a dependency of cid, and in v0.18.0 it has a bug that causes a panic on bad strings. cid should update its dependency to multihash:0.18.1, at which point Frequency dependency on cid should be updated.

[mattheworris]

A pull-request has been created in the rust-cid repo, but no action from the maintainers. https://github.com/multiformats/rust-cid/pull/135

[wilwade]

@mattheworris I think it is time to either fork and apply our fix or solve for it ourselves. Thoughts?

[mattheworris]

@mattheworris I think it is time to either fork and apply our fix or solve for it ourselves. Thoughts?

As the problem lies with a transitive dependency, and the cid dependency = 0.18.0 which is compatible with the correct 0.18.1 version, I suggest adding the following to our Cargo.toml:

[patch."https://github.com/multiformats/rust-cid"]
multihash = "0.18.1"

This will ensure that Frequency uses the correct version of multihash and should ensure the cid crate remains compatible with the fix version. If, in the future, the cid crate changes then cargo would let us know if there was an incompatibility.

[wilwade]

@mattheworris Sounds good to me. Put a comment it about it so we can know if we can remove it later.