Upgrade Crossbeam from 0.8.2 to 0.8.4 to address "High" GitHub Dependabot alert

[ptdecker]

The version of Crossbeam being used (v0.8.2) has a 'high' vulnerability being picked up by GitHub dependabot. I'm currently using Rbatis v4.4.9 and I can move to the current 4.4.14 but it still won't address the issue as both versions of Rbatis leverage crossbeam v0.8.2. According to Dependabot the solution is to upgrade to Crossbeam v0.8.4. So, I thought I would open this issue as a tracker for this change.

Here is the Dependabot report: GHSA-qc84-gqf4-9926

Here is the correction in Crossbeam for it: crossbeam-rs/crossbeam#781

And, here is the dependency trace for my project illustrating the connection via Rbatis:

  2 ├── rbatis v4.4.2
  1 │   ├── async-trait v0.1.74 (proc-macro) (*)
327 │   ├── crossbeam v0.8.2
  1 │   │   ├── cfg-if v1.0.0
  2 │   │   ├── crossbeam-channel v0.5.8
  3 │   │   │   ├── cfg-if v1.0.0
  4 │   │   │   └── crossbeam-utils v0.8.16
  5 │   │   │       └── cfg-if v1.0.0
  6 │   │   ├── crossbeam-deque v0.8.3
  7 │   │   │   ├── cfg-if v1.0.0
  8 │   │   │   ├── crossbeam-epoch v0.9.15
  9 │   │   │   │   ├── cfg-if v1.0.0
 10 │   │   │   │   ├── crossbeam-utils v0.8.16 (*)
 11 │   │   │   │   ├── memoffset v0.9.0
 12 │   │   │   │   │   [build-dependencies]
 13 │   │   │   │   │   └── autocfg v1.1.0
 14 │   │   │   │   └── scopeguard v1.2.0
 15 │   │   │   │   [build-dependencies]
 16 │   │   │   │   └── autocfg v1.1.0
 17 │   │   │   └── crossbeam-utils v0.8.16 (*)
 18 │   │   ├── crossbeam-epoch v0.9.15 (*)
 19 │   │   ├── crossbeam-queue v0.3.8
 20 │   │   │   ├── cfg-if v1.0.0
 21 │   │   │   └── crossbeam-utils v0.8.16 (*)
 22 │   │   └── crossbeam-utils v0.8.16 (*)

[zhuxiujia]

ok, we remove crossbeam(rbatis), maybe we should wait crossbeam update version.

[ptdecker]

Yes, just upgrading from 0.8.2 to 0.8.4 should address the vulnerability.

I see that you removed it completely. Was it just being used in tests?

Thank you!

[ptdecker]

Closing this out because it looks to be fixed