chore(deps): advisoriesに対応するためいくつかのクレートをbump

[qryxip]

内容

以下のクレートのバージョンを上げ、cargo deny check advisoriesに通るようにする。

• cbindgen v0.24.3 → v0.27.0
• duplicate v1.0.0 → v2.0.0
• reqwest v0.11.13 → v0.11.27
• shlex v1.1.0 (transitive only) → v1.3.0
• rustls v0.21.7 (transitive only) → v0.21.11
• h2 v0.3.15 (transitive only) → v0.3.26

cbindgenだけ必要最低限を超えて最新版までアップデートしているが、これはこの後すぐ #782 をやりたいため。

関連 Issue

#855

その他

advisories FAILED: 10 errors, 1 warnings, 0 notes

error[unmaintained]: `atty` is unmaintained
   ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:29:1
   │
29 │ atty 0.2.14 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected
   │
   ├ ID: RUSTSEC-2024-0375
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0375
   ├ The maintainer of `atty` has [published](https://github.com/softprops/atty/commit/5bfdbe9e48c6ca6a4909e8d5b04f5e843a257e93) an official notice that the crate is no longer
     under development, and that users should instead rely on the functionality in the standard library's [`IsTerminal`](https://doc.rust-lang.org/std/io/trait.IsTerminal.html) trait.
     
     ## Alternative(s)
     
     - [std::io::IsTerminal](https://doc.rust-lang.org/stable/std/io/trait.IsTerminal.html) - Stable since Rust 1.70.0 and the recommended replacement per the `atty` maintainer.
     - [is-terminal](https://crates.io/crates/is-terminal) - Standalone crate supporting Rust older than 1.70.0
   ├ Announcement: https://github.com/softprops/atty/issues/57
   ├ Solution: No safe upgrade is available!
   ├ atty v0.2.14
     └── clap v3.2.22
         └── cbindgen v0.24.3
             └── xtask v0.0.0

error[unsound]: Potential unaligned read
   ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:29:1
   │
29 │ atty 0.2.14 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
   │
   ├ ID: RUSTSEC-2021-0145
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0145
   ├ On windows, `atty` dereferences a potentially unaligned pointer.
     
     In practice however, the pointer won't be unaligned unless a custom global allocator is used.
     
     In particular, the `System` allocator on windows uses `HeapAlloc`, which guarantees a large enough alignment.
     
     # atty is Unmaintained
     
     A Pull Request with a fix has been provided over a year ago but the maintainer seems to be unreachable.
     
     Last release of `atty` was almost 3 years ago.
     
     ## Possible Alternative(s)
     
     The below list has not been vetted in any way and may or may not contain alternatives;
     
      - [std::io::IsTerminal](https://doc.rust-lang.org/stable/std/io/trait.IsTerminal.html) - Stable since Rust 1.70.0
      - [is-terminal](https://crates.io/crates/is-terminal) - Standalone crate supporting Rust older than 1.70.0
   ├ Announcement: https://github.com/softprops/atty/issues/50
   ├ Solution: No safe upgrade is available!
   ├ atty v0.2.14
     └── clap v3.2.22
         └── cbindgen v0.24.3
             └── xtask v0.0.0

error[vulnerability]: Degradation of service in h2 servers with CONTINUATION Flood
    ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:151:1
    │
151 │ h2 0.3.15 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2024-0332
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0332
    ├ An attacker can send a flood of CONTINUATION frames, causing `h2` to process them indefinitely.
      This results in an increase in CPU usage.
      
      Tokio task budget helps prevent this from a complete denial-of-service, as the server can still
      respond to legitimate requests, albeit with increased latency.
      
      More details at "https://seanmonstar.com/blog/hyper-http2-continuation-flood/.
      
      Patches available for 0.4.x and 0.3.x versions.
    ├ Solution: Upgrade to ^0.3.26 OR >=0.4.4 (try `cargo update -p h2`)
    ├ h2 v0.3.15
      ├── hyper v0.14.23
      │   ├── hyper-rustls v0.23.2
      │   │   └── reqwest v0.11.13
      │   │       ├── downloader v0.0.0
      │   │       ├── octocrab v0.19.0
      │   │       │   └── downloader v0.0.0 (*)
      │   │       └── (build) test_util v0.0.0
      │   │           ├── (dev) voicevox_core v0.0.0
      │   │           │   ├── voicevox_core_c_api v0.0.0
      │   │           │   ├── voicevox_core_java_api v0.0.0
      │   │           │   └── voicevox_core_python_api v0.0.0
      │   │           └── (dev) voicevox_core_c_api v0.0.0 (*)
      │   └── reqwest v0.11.13 (*)
      └── reqwest v0.11.13 (*)

error[vulnerability]: Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
    ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:151:1
    │
151 │ h2 0.3.15 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2024-0003
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0003
    ├ An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the
      generation of reset frames on the victim endpoint.
      By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion,
      resulting in Out Of Memory (OOM) and high CPU usage.
      
      This fix is corrected in [hyperium/h2#737](https://github.com/hyperium/h2/pull/737), which limits the total number of
      internal error resets emitted by default before the connection is closed.
    ├ Solution: Upgrade to ^0.3.24 OR >=0.4.2 (try `cargo update -p h2`)
    ├ h2 v0.3.15
      ├── hyper v0.14.23
      │   ├── hyper-rustls v0.23.2
      │   │   └── reqwest v0.11.13
      │   │       ├── downloader v0.0.0
      │   │       ├── octocrab v0.19.0
      │   │       │   └── downloader v0.0.0 (*)
      │   │       └── (build) test_util v0.0.0
      │   │           ├── (dev) voicevox_core v0.0.0
      │   │           │   ├── voicevox_core_c_api v0.0.0
      │   │           │   ├── voicevox_core_java_api v0.0.0
      │   │           │   └── voicevox_core_python_api v0.0.0
      │   │           └── (dev) voicevox_core_c_api v0.0.0 (*)
      │   └── reqwest v0.11.13 (*)
      └── reqwest v0.11.13 (*)

error[vulnerability]: Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
    ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:151:1
    │
151 │ h2 0.3.15 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2023-0034
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0034
    ├ If an attacker is able to flood the network with pairs of `HEADERS`/`RST_STREAM` frames, such that the `h2` application is not able to accept them faster than the bytes are received, the pending accept queue can grow in memory usage. Being able to do this consistently can result in excessive memory use, and eventually trigger Out Of Memory.
      
      This flaw is corrected in [hyperium/h2#668](https://github.com/hyperium/h2/pull/668), which restricts remote reset stream count by default.
    ├ Announcement: https://github.com/hyperium/hyper/issues/2877
    ├ Solution: Upgrade to >=0.3.17 (try `cargo update -p h2`)
    ├ h2 v0.3.15
      ├── hyper v0.14.23
      │   ├── hyper-rustls v0.23.2
      │   │   └── reqwest v0.11.13
      │   │       ├── downloader v0.0.0
      │   │       ├── octocrab v0.19.0
      │   │       │   └── downloader v0.0.0 (*)
      │   │       └── (build) test_util v0.0.0
      │   │           ├── (dev) voicevox_core v0.0.0
      │   │           │   ├── voicevox_core_c_api v0.0.0
      │   │           │   ├── voicevox_core_java_api v0.0.0
      │   │           │   └── voicevox_core_python_api v0.0.0
      │   │           └── (dev) voicevox_core_c_api v0.0.0 (*)
      │   └── reqwest v0.11.13 (*)
      └── reqwest v0.11.13 (*)

error[unmaintained]: proc-macro-error is unmaintained
    ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:273:1
    │
273 │ proc-macro-error 1.0.4 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unmaintained advisory detected
    │
    ├ ID: RUSTSEC-2024-0370
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0370
    ├ proc-macro-error's maintainer seems to be unreachable, with no commits for 2 years, no releases pushed for 4 years, and no activity on the GitLab repo or response to email.
      
      proc-macro-error also depends on `syn 1.x`, which may be bringing duplicate dependencies into dependant build trees.
      
      ## Possible Alternative(s)
      
      - [manyhow](https://crates.io/crates/manyhow)
      - [proc-macro-error2](https://crates.io/crates/proc-macro-error2)
      - [proc-macro2-diagnostics](https://github.com/SergioBenitez/proc-macro2-diagnostics)
    ├ Announcement: https://gitlab.com/CreepySkeleton/proc-macro-error/-/issues/20
    ├ Solution: No safe upgrade is available!
    ├ proc-macro-error v1.0.4
      └── duplicate v1.0.0
          ├── voicevox_core v0.0.0
          │   ├── voicevox_core_c_api v0.0.0
          │   ├── voicevox_core_java_api v0.0.0
          │   └── voicevox_core_python_api v0.0.0
          ├── voicevox_core_c_api v0.0.0 (*)
          └── voicevox_core_java_api v0.0.0 (*)

error[vulnerability]: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input
    ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:309:1
    │
309 │ rustls 0.20.6 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2024-0336
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0336
    ├ If a `close_notify` alert is received during a handshake, `complete_io`
      does not terminate.
      
      Callers which do not call `complete_io` are not affected.
      
      `rustls-tokio` and `rustls-ffi` do not call `complete_io`
      and are not affected.
      
      `rustls::Stream` and `rustls::StreamOwned` types use
      `complete_io` and are affected.
    ├ Announcement: https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
    ├ Solution: Upgrade to >=0.23.5 OR >=0.22.4, <0.23.0 OR >=0.21.11, <0.22.0 (try `cargo update -p rustls`)
    ├ rustls v0.20.6
      ├── hyper-rustls v0.23.2
      │   └── reqwest v0.11.13
      │       ├── downloader v0.0.0
      │       ├── octocrab v0.19.0
      │       │   └── downloader v0.0.0 (*)
      │       └── (build) test_util v0.0.0
      │           ├── (dev) voicevox_core v0.0.0
      │           │   ├── voicevox_core_c_api v0.0.0
      │           │   ├── voicevox_core_java_api v0.0.0
      │           │   └── voicevox_core_python_api v0.0.0
      │           └── (dev) voicevox_core_c_api v0.0.0 (*)
      ├── reqwest v0.11.13 (*)
      └── tokio-rustls v0.23.4
          ├── hyper-rustls v0.23.2 (*)
          └── reqwest v0.11.13 (*)

error[vulnerability]: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input
    ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:310:1
    │
310 │ rustls 0.21.7 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2024-0336
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0336
    ├ If a `close_notify` alert is received during a handshake, `complete_io`
      does not terminate.
      
      Callers which do not call `complete_io` are not affected.
      
      `rustls-tokio` and `rustls-ffi` do not call `complete_io`
      and are not affected.
      
      `rustls::Stream` and `rustls::StreamOwned` types use
      `complete_io` and are affected.
    ├ Announcement: https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
    ├ Solution: Upgrade to >=0.23.5 OR >=0.22.4, <0.23.0 OR >=0.21.11, <0.22.0 (try `cargo update -p rustls`)
    ├ rustls v0.21.7
      └── ureq v2.8.0
          └── (build) voicevox-ort-sys v2.0.0-rc.4
              └── voicevox-ort v2.0.0-rc.4
                  ├── (build) test_util v0.0.0
                  │   ├── (dev) voicevox_core v0.0.0
                  │   │   ├── voicevox_core_c_api v0.0.0
                  │   │   ├── voicevox_core_java_api v0.0.0
                  │   │   └── voicevox_core_python_api v0.0.0
                  │   └── (dev) voicevox_core_c_api v0.0.0 (*)
                  ├── voicevox_core v0.0.0 (*)
                  └── (dev) voicevox_core_c_api v0.0.0 (*)

error[vulnerability]: Multiple issues involving quote API
    ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:336:1
    │
336 │ shlex 1.1.0 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2024-0006
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0006
    ├ ## Issue 1: Failure to quote characters
      
      Affected versions of this crate allowed the bytes `{` and `\xa0` to appear
      unquoted and unescaped in command arguments.
      
      If the output of `quote` or `join` is passed to a shell, then what should be a
      single command argument could be interpreted as multiple arguments.
      
      This does not *directly* allow arbitrary command execution (you can't inject a
      command substitution or similar).  But depending on the command you're running,
      being able to inject multiple arguments where only one is expected could lead
      to undesired consequences, potentially including arbitrary command execution.
      
      The flaw was corrected in version 1.2.1 by escaping additional characters.
      Updating to 1.3.0 is recommended, but 1.2.1 offers a more minimal fix if
      desired.
      
      Workaround: Check for the bytes `{` and `\xa0` in `quote`/`join` input or
      output.
      
      (Note: `{` is problematic because it is used for glob expansion.  `\xa0` is
      problematic because it's treated as a word separator in [specific
      environments][solved-xa0].)
      
      ## Issue 2: Dangerous API w.r.t. nul bytes
      
      Version 1.3.0 deprecates the `quote` and `join` APIs in favor of `try_quote`
      and `try_join`, which behave the same except that they have `Result` return
      type, returning `Err` if the input contains nul bytes.
      
      Strings containing nul bytes generally cannot be used in Unix command arguments
      or environment variables, and most shells cannot handle nul bytes even
      internally.  If you try to pass one anyway, then the results might be
      security-sensitive in uncommon scenarios.  [More details here.][nul-bytes]
      
      Due to the low severity, the behavior of the original `quote` and `join` APIs
      has not changed; they continue to allow nuls.
      
      Workaround: Manually check for nul bytes in `quote`/`join` input or output.
      
      ## Issue 3: Lack of documentation for interactive shell risks
      
      The `quote` family of functions does not and cannot escape control characters.
      With non-interactive shells this is perfectly safe, as control characters have
      no special effect.  But if you writing directly to the standard input of an
      interactive shell (or through a pty), then control characters [can cause
      misbehavior including arbitrary command injection.][control-characters]
      
      This is essentially unfixable, and has not been patched.  But as of version
      1.3.0, documentation has been added.
      
      Future versions of `shlex` may add API variants that avoid the issue at the
      cost of reduced portability.
      
      [solved-xa0]: https://docs.rs/shlex/latest/shlex/quoting_warning/index.html#solved-xa0
      [nul-bytes]: https://docs.rs/shlex/latest/shlex/quoting_warning/index.html#nul-bytes
      [control-characters]: https://docs.rs/shlex/latest/shlex/quoting_warning/index.html#control-characters-interactive-contexts-only
    ├ Announcement: https://github.com/comex/rust-shlex/security/advisories/GHSA-r7qv-8r2h-pg27
    ├ Solution: Upgrade to >=1.3.0 (try `cargo update -p shlex`)
    ├ shlex v1.1.0
      ├── bindgen v0.62.0
      │   └── (build) open_jtalk-sys v0.16.111
      │       └── open_jtalk v0.1.25
      │           └── voicevox_core v0.0.0
      │               ├── voicevox_core_c_api v0.0.0
      │               ├── voicevox_core_java_api v0.0.0
      │               └── voicevox_core_python_api v0.0.0
      └── bindgen v0.69.4
          └── (build) test_util v0.0.0
              ├── (dev) voicevox_core v0.0.0 (*)
              └── (dev) voicevox_core_c_api v0.0.0 (*)

error[vulnerability]: webpki: CPU denial of service in certificate path building
    ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:425:1
    │
425 │ webpki 0.22.0 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2023-0052
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0052
    ├ When this crate is given a pathological certificate chain to validate, it will
      spend CPU time exponential with the number of candidate certificates at each
      step of path building.
      
      Both TLS clients and TLS servers that accept client certificate are affected.
      
      This was previously reported in
      <https://github.com/briansmith/webpki/issues/69> and re-reported recently
      by Luke Malinowski.
      
      webpki 0.22.1 included a partial fix and webpki 0.22.2 added further fixes.
    ├ Solution: Upgrade to >=0.22.2 (try `cargo update -p webpki`)
    ├ webpki v0.22.0
      ├── rustls v0.20.6
      │   ├── hyper-rustls v0.23.2
      │   │   └── reqwest v0.11.13
      │   │       ├── downloader v0.0.0
      │   │       ├── octocrab v0.19.0
      │   │       │   └── downloader v0.0.0 (*)
      │   │       └── (build) test_util v0.0.0
      │   │           ├── (dev) voicevox_core v0.0.0
      │   │           │   ├── voicevox_core_c_api v0.0.0
      │   │           │   ├── voicevox_core_java_api v0.0.0
      │   │           │   └── voicevox_core_python_api v0.0.0
      │   │           └── (dev) voicevox_core_c_api v0.0.0 (*)
      │   ├── reqwest v0.11.13 (*)
      │   └── tokio-rustls v0.23.4
      │       ├── hyper-rustls v0.23.2 (*)
      │       └── reqwest v0.11.13 (*)
      ├── tokio-rustls v0.23.4 (*)
      └── webpki-roots v0.22.5
          └── reqwest v0.11.13 (*)

warning[yanked]: detected yanked crate (try `cargo update -p textwrap`)
    ┌─ /home/ryo/src/github.com/VOICEVOX/voicevox_core/main/Cargo.lock:370:1
    │
370 │ textwrap 0.15.1 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ yanked version
    │
    ├ textwrap v0.15.1
      └── clap v3.2.22
          └── cbindgen v0.24.3
              └── xtask v0.0.0

advisories FAILED: 10 errors, 1 warnings, 0 notes

[qryxip]

やっと #782 ができる… (出たのは8月みたいですが)

[Hiroshiba]

LGTM！！