Fix cargo audit issue on chrono (#1907)

* Avoid the chrono crate depending on the time crate

This commit is in response to RUSTSEC-2020-0071 where there is a
potential segfault in the time crate. The aws-smithy-types-convert
crate now disables the default features of the chrono crate so that
it will not depend on the time crate.

* Depend on lambda_http without RUSTSEC-2020-0071

This commit updates the version of lambda_http used by aws-smithy-http-server
and aws-smithy-http-server-python to 0.7.0. The prior version 0.6.0 of
lambda_http used the chrono crate in a way that exposed a security issue
described in RUSTSEC-2020-0071. By switching to 0.7.0 of lambda_http, those
two crates do not exhibit vulnerabilities as reported by cargo audit.

* Bump minor version of lambda_http in pokemon-service

This commit updates the version of `lambda_http` used by `pokemon-service`
from 0.6.0 to 0.7.0. This is in sync with the fact that both
`aws-smithy-http-server` and `aws-smithy-http-server-python` now depend
on 0.7.0 of `lambda_http`. Failing to do so would cause `pokemon-service`
to fail to compile due to an error at `lambda_http::run(handler)` in the
main function of the `pokemon-service-lambda` binary:
the trait `Service<lambda_http::http::Request<lambda_http::Body>>` is not
implemented for `LambdaHandler<aws_smithy_http_server::routing::Router>`

* Depend on lambda-http 0.7.1

This commit updates the version of `lambda_http` from 0.7.0 to 0.7.1 in
the crates within the top-level `rust-runtime` workspace. These updates
are needed to solve the issue described in awslabs/aws-lambda-rust-runtime#556

* Update CHANGELOG.next.toml

* Address #1907

Co-authored-by: Saito <awsaito@c889f3b5ddc4.ant.amazon.com>
Co-authored-by: Zelda Hessler <zhessler@amazon.com>

CHANGELOG.next.toml

@@ -67,3 +67,9 @@ message = "Upgrade Smithy to v1.26"
 references = ["smithy-rs#1929"]
 meta = { "breaking" = false, "tada" = true, "bug" = false, "target" = "all"}
 author = "Velfi"
+
+[[smithy-rs]]
+message = "Fix cargo audit issue on chrono."
+references = ["smithy-rs#1907"]
+meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "all" }
+author = "ysaito1001"

rust-runtime/aws-smithy-http-server-python/Cargo.toml

@@ -22,7 +22,7 @@ bytes = "1.2"
 futures = "0.3"
 http = "0.2"
 hyper = { version = "0.14.20", features = ["server", "http1", "http2", "tcp", "stream"] }
-lambda_http = "0.6.0"
+lambda_http = "0.7.1"
 num_cpus = "1.13.1"
 parking_lot = "0.12.1"
 pin-project-lite = "0.2"

rust-runtime/aws-smithy-http-server/Cargo.toml

@@ -26,7 +26,7 @@ futures-util = { version = "0.3", default-features = false }
 http = "0.2"
 http-body = "0.4"
 hyper = { version = "0.14.12", features = ["server", "http1", "http2", "tcp", "stream"] }
-lambda_http = "0.6.0"
+lambda_http = "0.7.1"
 mime = "0.3"
 nom = "7"
 pin-project-lite = "0.2"

rust-runtime/aws-smithy-http-server/examples/pokemon-service/Cargo.toml

@@ -37,7 +37,7 @@ rustls-pemfile = "1.0.1"
 futures-util = "0.3"
 
 # This dependency is only required for the `pokemon-service-lambda` program.
-lambda_http = "0.6.0"
+lambda_http = "0.7.1"
 
 # Local paths
 aws-smithy-http-server = { path = "../../" }

rust-runtime/aws-smithy-types-convert/Cargo.toml

@@ -13,7 +13,7 @@ convert-time = ["aws-smithy-types", "time"]
 
 [dependencies]
 aws-smithy-types = { path = "../aws-smithy-types", optional = true }
-chrono = { version = "0.4.19", optional = true }
+chrono = { version = "0.4.19", optional = true, default-features = false, features = ["std"] }
 time = { version = "0.3.4", optional = true }
 
 [package.metadata.docs.rs]