fix(security): improvements

[onur-ozkan]

Fixes:

• RUSTSEC-2020-0056
• RUSTSEC-2021-0059
• RUSTSEC-2021-0060
• RUSTSEC-2022-0090
• RUSTSEC-2022-0092
• RUSTSEC-2020-0168
• RUSTSEC-2023-0034
• yanked version of blake2

dependency updates:

• bump librustzcash crates to k-1.3.0
• use latest stable rmp-serde 0.14.3 -> v1.1.1 but rolled back to 0.14.3 in here fix(incompatible-dep): rollback rmp #1862 so need to review it in release PR.
• bump blake2 to latest stable v0.10.4 -> v0.10.6
• use latest stable metrics dependencies v0.19.0 -> v0.21.0
• use latest stable hyper v0.14.11 -> v0.14.26
• update rusqlite v0.24.2 -> 0.28.0
• update env_logger v0.9.0 -> 0.9.3
• remove getrandom
• libm v0.2.7 added
• mach2 v0.4.1 added instead of mach v0.3.2
• portable-atomic v1.3.2 added
• base64 v0.21.2 added
• ahash 0.7.6 -> 0.8.3
• block-modes 0.7.0 -> 0.8.1
• fpe 0.3.13 -> 0.3.19
• hashbrown 0.12.1 -> 0.13.2
• hashlink 0.6.0 -> 0.8.2
• httparse 1.6.0 -> 1.8.0
• hyper 0.14.18 -> 0.14.26
• libsqlite3-sys 0.20.1 -> 0.25.2
• metrics-exporter-prometheus 0.10.0 -> 0.12.1
• metrics-macros 0.5.1 -> 0.7.0
• metrics-util 0.13.0 -> 0.15.0
• num-traits 0.2.12 -> 0.2.15
• ordered-float 2.10.0 -> 3.7.0
• pkg-config 0.3.17 -> 0.3.27
• quanta 0.9.3 -> 0.11.1
• rmp 0.8.9 -> 0.8.11
• sketches-ddsketch 0.1.3 -> 0.2.1
• socket2 0.4.4 -> 0.4.9
• termcolor 1.1.0 -> 1.2.0
• version_check 0.9.2 -> 0.9.4

[onur-ozkan]

It would be great if you can do some general testing to see if things goes well as expected @cipig @smk762

[shamardy]

Thanks for the fixes! LGTM but I have 2 questions. Will approve once they are answered :)
I added some comments about added deps too so that I can remember to add them to the commit message.

[shamardy]

mach is still in our deps tree here
https://github.com/KomodoPlatform/atomicDEX-API/blob/f8ada95e976cbebf5f680d13ec39d986a22e11d8/mm2src/adex_cli/Cargo.lock#L1831
Is there a reason for not removing it completely?

[onur-ozkan]

Are you sure? Seems this Cargo.lock file isn't in this branch

[shamardy]

It's in this branch, but I just noticed that It's the adex-cli Cargo.lock file. Should we update it too in this PR?

[onur-ozkan]

It's not in the mm2 workspace, I think we shouldn't do it in this PR.

[shamardy]

I think we shouldn't do it in this PR.

Agreed

@rozhkovdmitrii I will leave this comment to you with the related advisory RUSTSEC-2020-0168 so that you can update it for cli in the future if you think it's important.