Cargo audit security advisories

[muursh]

chrono - 0.4.19 - segfault in localtime_r - no safe upgrade
time - 0.1.44 - segfault in time crate - upgrade to >=0.2.23
wasmtime - 0.27.0 - multiple vulnerabilities - upgrade to >=0.30.0
zeroize_derive - 1.1.0 - doesn't implement drop for enum - upgrade to >= 1.1.1

net2 is unmaintained :(

The above is true in staging as of 22/10/21. I have no idea if anyone is changing any of the above in anything they're working on. If anyone is can they comment here and let me know.

I'll create a PR to fix the obvious ones.

We need to decide what to do about net2 given it's not maintained anymore. Do we wait for parity or should we be more proactive?

[muursh]

Also I'm adding cargo audit to our CI

[TheQuantumPhysicist]

Let's discuss the priority of this issue at some point.

[muursh]

Of which issue? The entirety of the advisories or just unmaintained crate?

[TheQuantumPhysicist]

The priority of each, or all of them. I bet some of us think this is super prior and others think the opposite.

On one hand, these are not important as long as we're in testnet and we're more focused on features that work properly. On the other hand, these are important because they affect our software in a way or another. I'm more biased towards the former since we're far from being worried about long-term software issues since most of our protocols and implementations are not done anyway. Either way, we should discuss this topic, or at least clearly express the priority.

Maybe on Monday's daily we can talk about it a little bit.