Upgrade Crossbeam from 0.8.2 to 0.8.4 to address "High" GitHub Dependabot alert #446
Description
The version of Crossbeam being used (v0.8.2) has a 'high' vulnerability being picked up by GitHub dependabot. I'm currently using Rbatis v4.4.9 and I can move to the current 4.4.14 but it still won't address the issue as both versions of Rbatis leverage crossbeam v0.8.2. According to Dependabot the solution is to upgrade to Crossbeam v0.8.4. So, I thought I would open this issue as a tracker for this change.
Here is the Dependabot report: GHSA-qc84-gqf4-9926
Here is the correction in Crossbeam for it: crossbeam-rs/crossbeam#781
And, here is the dependency trace for my project illustrating the connection via Rbatis:
2 ├── rbatis v4.4.2
1 │ ├── async-trait v0.1.74 (proc-macro) (*)
327 │ ├── crossbeam v0.8.2
1 │ │ ├── cfg-if v1.0.0
2 │ │ ├── crossbeam-channel v0.5.8
3 │ │ │ ├── cfg-if v1.0.0
4 │ │ │ └── crossbeam-utils v0.8.16
5 │ │ │ └── cfg-if v1.0.0
6 │ │ ├── crossbeam-deque v0.8.3
7 │ │ │ ├── cfg-if v1.0.0
8 │ │ │ ├── crossbeam-epoch v0.9.15
9 │ │ │ │ ├── cfg-if v1.0.0
10 │ │ │ │ ├── crossbeam-utils v0.8.16 (*)
11 │ │ │ │ ├── memoffset v0.9.0
12 │ │ │ │ │ [build-dependencies]
13 │ │ │ │ │ └── autocfg v1.1.0
14 │ │ │ │ └── scopeguard v1.2.0
15 │ │ │ │ [build-dependencies]
16 │ │ │ │ └── autocfg v1.1.0
17 │ │ │ └── crossbeam-utils v0.8.16 (*)
18 │ │ ├── crossbeam-epoch v0.9.15 (*)
19 │ │ ├── crossbeam-queue v0.3.8
20 │ │ │ ├── cfg-if v1.0.0
21 │ │ │ └── crossbeam-utils v0.8.16 (*)
22 │ │ └── crossbeam-utils v0.8.16 (*)