Add cargo-audit / cargo-deny to the CI
Cargo-audit should be told to ignore the time/chrono crates. These are perennial:
% cargo audit
...
Crate: chrono
Version: 0.4.19
Title: Potential segfault in `localtime_r` invocations
Date: 2020-11-10
ID: RUSTSEC-2020-0159
URL: https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution: No safe upgrade is available!
Dependency tree:
chrono 0.4.19
├── lopdf 0.26.0
│ └── librsvg 2.53.1
└── librsvg 2.53.1
Crate: time
Version: 0.1.43
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.43
I think gst-plugins-rs has an incantation to tell cargo audit
to skip them. Rationale: they are dependencies of lopdf and xml5ever. The former is only used in the test suite, and the latter is only for xml5ever's internal profiler.
Edited by Federico Mena Quintero