Fix smallvec vulnerability

ci/advisory

@@ -6,6 +6,9 @@ then
     sed -i -e 's|db-path.*|db-path = "/cache/cargo/advisory-db"|' deny.toml
 fi
 
+echo '--- deny: Version'
+cargo deny --version
+
 echo '--- deny: Advisories'
 cargo deny check advisories
 

default.nix

@@ -10,6 +10,7 @@ in
     name = "clang-env-with-nightly-rust";
     buildInputs = [
       (pkgs.rustChannelOf { rustToolchain = ./rust-toolchain; }).rust
+      cargo-deny
       clang
       llvmPackages.libclang
       olm

deny.toml

@@ -5,7 +5,7 @@
 # The path where the advisory database is cloned/fetched into
 db-path = "~/cargo/advisory-db"
 # The url of the advisory database to use
-db-url = "https://github.com/rustsec/advisory-db"
+db-urls = [ "https://github.com/rustsec/advisory-db" ]
 # The lint level for security vulnerabilities
 vulnerability = "deny"
 # The lint level for unmaintained crates

librad/Cargo.toml

@@ -111,6 +111,14 @@ features = ["logging", "dangerous_configuration"]
 version = "1.0"
 features = ["derive"]
 
+# Note: this is not a direct dependency. governor depends on
+# parking_lot, which depends on smallvec. There is vulnerability
+# in v1.0 and so we're forcing cargo to use this version instead.
+#
+# Tracking issue in governor: https://github.com/antifuchs/governor/issues/60
+[dependencies.smallvec]
+version = ">=1.6.1"
+
 [dependencies.tokio]
 version = "0.2"
 features = ["full"]