[RUSTSEC-2024-0003] [RUSTSEC-2024-0019] and [RUSTSEC-2020-0043] (among many others)

[Pi-Cla]

Bug Report

Currently this project is depending on dependencies which are vulnerable to: RUSTSEC-2024-0019, RUSTSEC-2024-0003, RUSTSEC-2020-0043

In addition it is also depending on a bunch of unmaintained crates (listed on RUSTSEC too)

Environment

Zola version: Next branch

Expected Behavior

When I run cargo audit on this repo I get no alerts

Step to reproduce

Run cargo audit on the next branch

[Pi-Cla]

My proposed solution can be seen in this branch. (I have ran cargo test and all of the tests still pass) Where ws is replaced with parity-ws (ws has yet to merge a PR that would fix RUSTSEC-2020-0043) and cargo update was ran to fix the other two vulnerabilities.

See cargo-audit-zola-old.txt for the audit report before my changes and cargo-audit-zola-new.txt for the new audit report. I think markdown is a false positive? since this repo seems to have their own package called markdown.

The other three remaining alerts stem from our dependency on atty, net2 via an old version of mio, and encoding via an old version of lindera

[Pi-Cla]

I am less sure how to go about fixing the last three so any suggestions are appreciated

[Keats]

Someone is working on some changes for the server (https://github.com/InDieTasten/zola-codespaces/issues/1) cc @InDieTasten so I wouldn't bother changing the ws library for now. As for the deprecated/unmaintained libraries I'll update most of them for the next version. There was one where the maintainer disappeared but I don't remember which one - guess i'll see soon.

[InDieTasten]

I can confirm I'm updating hyper and related dependencies right now :)

[InDieTasten]

As explained in my comment here, I have stopped work on trying to get zola working in GitHub Codespaces for now.

I think it would make sense to push on this from a pure hyper update angle.