Update package versions

[ranandfigma]

A number of packages are on very old versions that contain unmaintained/ deprecated dependencies that have known vulnerabilities. Here is a list of the couple that were picked up by cargo-deny:

• reqwest v0.9.11 is from March 2019: https://github.com/seanmonstar/reqwest/releases/tag/v0.9.11

  • The dependency chain from here is reqwest -> hyper-rustls v0.17.1 -> hyper v0.12.36
  • hyper v0.12.36 has the following known vulns: here and here
  • This version also uses the deprecated "failure" crate and the deprecated "net2" crate

• tokio v0.1.22 has the below advisory

error[A001]: Data race when sending and receiving after closing a `oneshot` channel
    ┌─ /home/runner/work/figma/figma/Cargo.lock:491:1
    │
491 │ tokio 0.1.22 registry+https://github.com/rust-lang/crates.io-index
    │ ------------------------------------------------------------------ security vulnerability detected
    │
    = ID: RUSTSEC-2021-0124
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0124
    = If a `tokio::sync::oneshot` channel is closed (via the
      [`oneshot::Receiver::close`] method), a data race may occur if the
      `oneshot::Sender::send` method is called while the corresponding
      `oneshot::Receiver` is `await`ed or calling `try_recv`.

      When these methods are called concurrently on a closed channel, the two halves
      of the channel can concurrently access a shared memory location, resulting in a
      data race. This has been observed to [cause memory corruption][corruption].

      Note that the race only occurs when **both** halves of the channel are used
      after the `Receiver` half has called `close`. Code where `close` is not used, or where the
      `Receiver` is not `await`ed and `try_recv` is not called after calling `close`,
      is not affected.

      See [tokio#4225][issue] for more details.

      [corruption]: https://github.com/tokio-rs/tokio/issues/4225#issuecomment-9[67](https://github.com/figma/figma/actions/runs/3576570124/jobs/6014538659#step:5:68)434847
      [issue]: https://github.com/tokio-rs/tokio/issues/4225
      [`oneshot::Receiver::close`]: https://docs.rs/tokio/1.14.0/tokio/sync/oneshot/struct.Receiver.html#method.close
    = Announcement: https://github.com/tokio-rs/tokio/issues/4225
    = Solution: Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1

[cwaldren-ld]

Thank you for the report @ranandfigma. We are working on a release that will contain upgrades to many of our dependencies.

Filed internally as 178110.

[cwaldren-ld]

Hi @ranandfigma , the latest 1.0 release has updated dependencies.

Specifically, reqwest has been entirely removed. Feel free to file a new issue if you encounter any more problems.