Add cargo-deny to CI

[lpil]

https://github.com/EmbarkStudios/cargo-deny

An example from another project: bytecodealliance/wasmtime#2519

[brightly-salty]

One thing to note is that currently cargo-audit fails with the following as output:

   Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 175 security advisories (from /Users/cadenhaustein/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (230 crate dependencies)
Crate:         sized-chunks
Version:       0.6.2
Title:         Multiple soundness issues in Chunk and InlineArray
Date:          2020-09-06
ID:            RUSTSEC-2020-0041
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0041
Solution:      No safe upgrade is available!
Dependency tree:
sized-chunks 0.6.2
└── im 15.0.0
    └── gleam 0.13.2

Crate:         difference
Version:       2.0.0
Warning:       unmaintained
Title:         difference is unmaintained
Date:          2020-12-20
ID:            RUSTSEC-2020-0095
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0095
Dependency tree:
difference 2.0.0
└── pretty_assertions 0.6.1
    └── gleam 0.13.2

Crate:         net2
Version:       0.2.37
Warning:       unmaintained
Title:         `net2` crate has been deprecated; use `socket2` instead
Date:          2020-05-01
ID:            RUSTSEC-2020-0016
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree:
net2 0.2.37
├── miow 0.2.2
│   └── mio 0.6.23
│       └── tokio 0.2.24
└── mio 0.6.23

error: 1 vulnerability found!
warning: 2 allowed warnings found

The first one is because gleam is depending on im, which depends on the unsound sized_chunks. im has an issue (bodil/im-rs#153) for this.

The second one is because gleam is depending on pretty_assertions, which depends on the unmaintained difference. pretty_assertions has an issue (rust-pretty-assertions/rust-pretty-assertions#44) for this.

I think the third one is an error in cargo-audit, because tokio is upgraded to 1.0.1 in gleam.

We would probably need to wait until these instances are fixed until adding cargo-deny to the CI.

[lpil]

Cargo deny supports allowing version violations in the config file, I would like to allow any errors for now and fix them in future.

Cargo permits multiple versions of the same crate in a project, so I suspect we have two versions of tokio indirectly.

[brightly-salty]

After following cargo-tree, it looks like the old tokio dependency is due to an old version of reqwest in hexpm. I know there was a recent commit to update all dependencies. Is there any way we could get a new release in hexpm so we can remove this warning, as well as upgrade bytes?