Tracking issue for fixing cargo audit issues

[caass]

the output of cargo audit gives the following:

Click to expand

❯ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 370 security advisories (from /Users/cass/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (350 crate dependencies)
Crate:         chrono
Version:       0.4.19
Title:         Potential segfault in `localtime_r` invocations
Date:          2020-11-10
ID:            RUSTSEC-2020-0159
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution:      No safe upgrade is available!
Dependency tree: 
chrono 0.4.19
├── wrangler 1.19.4
├── toml_edit 0.2.1
│   └── wrangler 1.19.4
├── sloggers 1.0.1
│   └── cloudflare 0.8.7
│       └── wrangler 1.19.4
├── slog-term 2.8.0
│   ├── sloggers 1.0.1
│   └── cloudflare 0.8.7
├── plist 0.5.5
│   └── os-version 0.1.1
│       └── wrangler 1.19.4
├── oauth2 4.1.0
│   └── wrangler 1.19.4
└── cloudflare 0.8.7

Crate:         time
Version:       0.1.44
Title:         Potential segfault in the time crate
Date:          2020-11-18
ID:            RUSTSEC-2020-0071
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:      Upgrade to >=0.2.23
Dependency tree: 
time 0.1.44
├── zip 0.5.13
│   └── binary-install 0.0.3-alpha.1
│       └── wrangler 1.19.4
├── syncbox 0.2.4
│   └── eventual 0.1.7
│       └── wrangler 1.19.4
├── eventual 0.1.7
└── chrono 0.4.19
    ├── wrangler 1.19.4
    ├── toml_edit 0.2.1
    │   └── wrangler 1.19.4
    ├── sloggers 1.0.1
    │   └── cloudflare 0.8.7
    │       └── wrangler 1.19.4
    ├── slog-term 2.8.0
    │   ├── sloggers 1.0.1
    │   └── cloudflare 0.8.7
    ├── plist 0.5.5
    │   └── os-version 0.1.1
    │       └── wrangler 1.19.4
    ├── oauth2 4.1.0
    │   └── wrangler 1.19.4
    └── cloudflare 0.8.7

Crate:         failure
Version:       0.1.8
Warning:       unmaintained
Title:         failure is officially deprecated/unmaintained
Date:          2020-05-02
ID:            RUSTSEC-2020-0036
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0036
Dependency tree: 
failure 0.1.8
└── binary-install 0.0.3-alpha.1
    └── wrangler 1.19.4

Crate:         net2
Version:       0.2.37
Warning:       unmaintained
Title:         `net2` crate has been deprecated; use `socket2` instead
Date:          2020-05-01
ID:            RUSTSEC-2020-0016
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree: 
net2 0.2.37
├── miow 0.2.2
└── mio 0.6.23

Crate:         term
Version:       0.5.2
Warning:       unmaintained
Title:         term is looking for a new maintainer
Date:          2018-11-19
ID:            RUSTSEC-2018-0015
URL:           https://rustsec.org/advisories/RUSTSEC-2018-0015
Dependency tree: 
term 0.5.2

error: 2 vulnerabilities found!
warning: 3 allowed warnings found

This issue is meant to be a meta-issue to track progress on solving the issues raised by cargo audit.

Includes:

• maybe Wrangler tail - overflow when adding duration to instant #2109
• RUSTSEC-2020-0159: Potential segfault in localtime_r invocations #2107
• RUSTSEC-2020-0071: Potential segfault in the time crate #2105

Since CI fails until we resolve this, it has some amount of priority.

[a1ien]

Maybe it's worth to re implement binary-install inside wrangler. It's use curl inside his implementation to fetch data. Since inside wringler use reqwest, we can re implement all functional of binary-install without using curl which reduce bloated dependencies
Also zip crate have time as optional feature and we can easily disable it.

P.S. I cam to this because it's possible to make almost all functional of wrangler work without openssl but curl have hard dependency of openssl. And if we re implement binary-install we can easily build wrangler without openssl.