bump protobuf for RUSTSEC-2019-0003

[PsiACE]

Just bump protobuf to 2.8, consistent with tikv, avoid RUSTSEC-2019-0003

Signed-off-by: Chojan Shang psiace@outlook.com

[BusyJay]

Isn't 2 includes "2.8" already?

[PsiACE]

Isn't 2 includes "2.8" already?

But 2 also includes 2.7 and below

[BusyJay]

Yes, so dependents can upgrade to preferred versions at any time. As long as it doesn't depend on affected versions only, there is nothing to be done in a library.

[PsiACE]

But 2 does not guarantee that you will use version 2.8 and above

[BusyJay]

Cargo will guarantee latest version is used when possible. If a Cargo.lock is used, it's binary maintainer's responsibility to update the vulnerable dependencies.

[PsiACE]

Cargo will guarantee latest version is used when possible. If a Cargo.lock is used, it's binary maintainer's responsibility to update the vulnerable dependencies.

ok

[kennytm]

Cargo will guarantee latest version is used when possible.

Not really, Cargo has the (unstable) features -Z minimal-versions and -Z direct-minimal-versions flags (rust-lang/cargo#5657) which the former allows the resolver to pick 2.0.0 rather than 2.8.x.

Of course, at the end it is still the binary maintainer's (only they can add those 2 flags to affect the generated Cargo.lock) responsibility to pin protobuf to 2.8.