advisory RUSTSEC-2020-0091

[librelois]

Problem:

error[A001]: Dangling reference in `access::Map` with Constant
  ┌─ /home/path/to/my/project/Cargo.lock:8:1
  │
8 │ arc-swap 0.4.7 registry+https://github.com/rust-lang/crates.io-index
  │ -------------------------------------------------------------------- security vulnerability detected
  │
  = ID: RUSTSEC-2020-0091
  = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0091
  = Using the `arc_swap::access::Map` with the `Constant` test helper (or with
    user-provided implementation of the `Access` trait) could sometimes lead to the
    map returning dangling references.
    
    Replaced by implementation without `unsafe`, at the cost of added `Clone` bound
    on the closure and small penalty on performance.
  = Announcement: https://github.com/vorner/arc-swap/issues/45
  = Solution: Upgrade to >= 1.1.0 OR >= 0.4.8
  = arc-swap v0.4.7
    └── signal-hook-registry v1.2.1
        └── signal-hook v0.1.16
            └── crossterm v0.19.0

Solution: need to upgrade signal-hook dependency

[mainrs]

At least during builds arc-swap won't be picked up anymore. I just checked the local Cargo.lock file.
The reason being is that signal-hook will automatically resolve to its newest patch version 0.1.17. That version depends on signal-hook-registry@^1.2. This also resolves to the newest minor version of that crate as it will look for dependencies in a semver-compatible manner (meaning that minor bumps are non-breaking). This resolves to signal-hook-registry@1.3, which got rid of the dependency altogether.

Nevertheless a PR to bump the version is probably(?) the right way to do it to completely eliminate the possibility of vulnerable builds if the local index is out-of-date (at least that's the only possible way to compile older versions that I could come up with).

I'll open one :)