Upgrade dependencies to fix dependabot alerts

[bpetit]

Bug description

We have dependencies to be upgraded to fix vulns.

To Reproduce

Look at dependabot alerts.

Expected behavior

We should have dependencies up to date at least not to have known vulns.

[demeringo]

@bpetit , maybe we could add dependabot.yml file ? It automates the creation of PR related to dependencies updates.

It will not fix everything automatically as it still depend on the way we pinned specific version in the cargo file, but it could help/

I do not have much experience with this, but I'm testing it on Boavizta cloud scanner. https://github.com/Boavizta/cloud-scanner/blob/main/.github/dependabot.yml

[rossf7]

@bpetit @demeringo I agree using dependabot could help here.

I haven't used it with rust but its worked well for go projects I've worked on. It can also update github actions which can be useful.

It will not fix everything automatically as it still depend on the way we pinned specific version in the cargo file, but it could help

Yes, some manual work will likely be needed but once the deps are updated any out of date dependabot PRs will be closed.

It's possible to set the target-branch to the dev branch.

[bpetit]

This extract of dependabot is outdated, those dependencies have been updated. We have new updates to perform now, but I'll close this issue that's not accurate anymore.