smallvec/parking_lot vulnerability

[FintanH]

Hey 👋

There was a vulnerability in smallvec:

• Buffer overflow in insert_many() servo/rust-smallvec#252
• smallvec: Buffer overflow in insert_many rustsec/advisory-db#552

I came across this while using cargo deny on our project radicle-link and there was a transitive dep from governor to parking_lot.

I created a pull-request for the parking_lot repo Amanieu/parking_lot#276 and I wanted to track an issue here for updating this project with the fixed version too.

Hope that works for you, and let me know if I can do anything to help ✌️

[antifuchs]

Thanks for filing the issue! I think we can bump the transitive dependency manually, I'll investigate.

[FintanH]

Awesome! Thanks for looking into it :)

[antifuchs]

The above PR should straighten out the deps such that a non-vulnerable version of smallvec gets used. If you have the time @FintanH, could you test with a git dependency? Otherwise, I'll time out and release v0.3.2 on the weekend.

[FintanH]

Looks good on our side :)

[antifuchs]

Released! Thanks for checking!