Address RUSTSEC-2021-0124

[djmitche]

This is a vulnerability in tokio, which is required by Actix-web. For the moment, let's ignore it, and then decide whether to upgrade actix to suit, or switch to a different (simpler) web server package.

[djmitche]

It looks like the audit-check action does not support --ignore, so for the moment it might be best to just disable this check. We can re-enable it either when this advisory is addressed (by actix-web) or after switching to another web framework.

[djmitche]

Hm, audit-check appears unmaintained. I've pinged the maintainer, but if no response then we might need to fork that action.

[djmitche]

@tbabej ok if I fork that to the GothenburgBitFactory org or should I do it to djmitche?

[tbabej]

Forking under the org is fine with me!

[pinkforest]

Hi lovelies, feel free to PR link to the fork here: https://github.com/rust-secure-code/projects 💜

Or.. maybe we could adopt it under rust-secure-code / rustsec ? -

I've asked others whether this is something we could do: rust-secure-code/wg#46

[djmitche]

I just noted in #2903 that the fork doesn't actually add any value over upstream. But this does seem to be a fairly "important" rust-security-related action, so I'd vote to include it in a collective org like rust-secure-code.

[pinkforest]

Cool. There is also cargo-deny alternatively e.g.:
libp2p/rust-libp2p#2803

But I'll see the feasibility of whether we can adopt this in the meantime

[djmitche]

This has been resolved in other repos.