Vulnerable dependencies #629
Description
I'm reporting this here because there's no security policy and private vulnerability reporting is disabled in this repository.
Yesterday, I added squawk crate into my project. After doing that, GitHub Dependabot opened 21 alerts for Squawk dependencies. I won't provide the list here unless you request it. However, you can find them yourself by enabling Dependabot alerts in this repository.
I assume the alerts are disabled because I see no PRs by Dependabot or relevant changes by you and I assume you wouldn't just let the vulnerabilities sit there if you knew about them. Enabling the alerts wouldn't just help you with the current vulnerabilities, it'd also help you to stay on top of them in the future. Dependabot is usually able to open PRs that upgrade the dependencies to secure versions for you. I'd also recommend setting up Dependabot version updates, so that the project uses current major and minor versions of the dependencies, so that security fixes, usually shipped as patch releases, can be applied right away without any delays.
With that being said, I'm asking you to upgrade the dependencies and ship a security release. Let me know if you need any help.