Tracking issue for RUSTSEC-2020-0071

[hanabi1224]

Issue summary

I've made a fix to upstream boa_engine with boa-dev/boa#2627
We could resolve https://github.com/ChainSafe/forest/security/dependabot/20 and remove --ignore RUSTSEC-2020-0071 from here once boa_engine makes a new release.

Other information and links

[lemmih]

boa_engine was fixed but RUSTSEC-2020-0071 is also triggered by chrono: chronotope/chrono#1073

[hanabi1224]

boa_engine was fixed but RUSTSEC-2020-0071 is also triggered by chrono: chronotope/chrono#1073

@lemmih We have removed oldtime feature from chrono by doing below, the last time I checked it did not cause RUSTSEC-2020-0071

chrono = { version = "0.4", default-features = false, features = ["clock"] }

[aatifsyed]

Boa engine is not fixed in 0.16:

$ git describe --tags 
v0.16
$ cargo audit -n
      Loaded 557 security advisories (from /home/aatif/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (193 crate dependencies)
Crate:     time
Version:   0.1.44
...
Dependency tree:
time 0.1.44
└── chrono 0.4.22
    └── boa_engine 0.16.0
        ├── boa_wasm 0.16.0
        ├── boa_tester 0.16.0
        ├── boa_examples 0.16.0
        └── boa_cli 0.16.0
...

The right fix is to bump to 0.17, but it's non-trivial

[aatifsyed]

chrono asserts that it doesn't call the vulnerable APIs, which is good enough to close this I think

chronotope/chrono#602 (comment)

[hanabi1224]

@aatifsyed #3380