Update Dependencies #6

[achiurizo]

📋 slack audit #6

We should update the dependencies listed from the Audit see

[isSerge]

• update frontend dependencies
• update rust dependencies
  • owning_ref (ongoing pr to our libp2p fork, then discussed with Nazar)
  • time (discussed with trail of bits)
  • ansi_term (opened an issue on substrate: RUSTSEC-2021-0139: ansi_term is Unmaintained paritytech/polkadot-sdk#31, and also keeping track of the already opened issue on tracing: RUSTSEC-2021-0139: ansi_term is Unmaintained tokio-rs/tracing#2282, tracing actually fixed the issue, just waiting on the new release)
  • dotenv
  • xml-rs (Using quick-xml ebarnard/rust-plist#68 I volunteered, and also: Maintenance of xml-rs netvl/xml-rs#221)
  • blake2
  • block-buffer
  • cpufeatures
  • iana-time-zone
  • sp-version (I couldn't find such issue when I ran "cargo audit" myself, confirmed with Artur Cygan that this is not an issue to be worried about)

[ozgunozerk]

• time: for time dependency, we don't need to fix it. In summary, time package is only used by chrono in our dependency tree. And chrono does not use the vulnerable part of the time crate. CVE-2020-26235 advisory for time 0.1 dependency chronotope/chrono#602 (comment)
  In the upcoming release of chrono, they will get rid of time.

• owning_ref: The same goes for owning_ref, the prometheus dependency in our substrate fork, does not use the vulnerable part of the owning_ref. And soon, it will be upgraded to a newer version of prometheus, which does not use owning_ref.

[isSerge]

As mentioned on the Dev Sync, frontend dependencies with vulnerabilities (got and git-clone) are devDependencies, which are not included in the production bundle. I also notified Quasar devs about these vulnerabilities and they promised to fix/update those

[ozgunozerk]

The remaining unticked dependencies above, are not security issues, but rather warnings about unmaintained dependencies. Thus, they are not blockers for the audit. It is sufficient to have an issue for them to keep track.

These are indirect dependencies, and there are opened issues for replacing these unmaintained ones with alternatives. When the parent dependencies of these indirect ones, replace these unmaintained ones, we can upgrade our dependencies as well, and these minor warnings will be resolved then.

Again, since these are NOT security issues, it's not mandatory but a good to have to replace them when the appropriate time comes.