Fix the vulnerabilities alerts and run make security-audit in CI

[doitian]

See #38

Severe

• untrusted >= 0.6.2. We need to wait for this Update ring to 0.13 libp2p/rust-libp2p#674 of libp2p, wait substrate.
• openssl >= 0.10.9
• smallvec crate: we can upgrade jsonrpc-http-server to 9.0 chore: upgrade crates #40
• rust-yaml crate: wait clap 3.0 chore: upgrade crates #40

[rainchen]

I have a quick trying but failed.

yaml-rust is suggested to upgrade to 0.4.1.
Now ckb is depending on clap v2.
clap v2 is depending on yaml-rust v0.3.5.
clap v3.0.0-beta.1 is depending on v0.4.

I tried using clap v3.0.0-beta.1 for ckb but failed.

I was using following config:

clap = { version = "3.0.0-beta.1", features = ["yaml"], git = "https://github.com/clap-rs/clap.git", branch = "v3-master" }

here is the output for building:

↪  cargo build --release                                                                                                                              Thu Nov 29 09:44:10 CST 2018
    Blocking waiting for file lock on the git checkouts
    Updating git repository `https://github.com/clap-rs/clap.git`
    Blocking waiting for file lock on the git checkouts
    Blocking waiting for file lock on the git checkouts
    Blocking waiting for file lock on the registry index
    Updating git repository `https://github.com/clap-rs/clap_derive`
    Updating registry `https://github.com/rust-lang/crates.io-index`
   Compiling indexmap v1.0.2
   Compiling strsim v0.8.0
   Compiling clap v2.32.0
   Compiling syn v0.14.9
   Compiling clap_derive v0.3.0 (https://github.com/clap-rs/clap_derive#2fad2c8a)
   Compiling bindgen v0.29.1
   Compiling clap v3.0.0-beta.1 (https://github.com/clap-rs/clap.git?branch=v3-master#93991744)
error[E0425]: cannot find function `from_yaml` in the crate root
    --> /Users/rain/.cargo/git/checkouts/clap-78dbe9b58f9073fe/9399174/src/build/app/mod.rs:2007:36
     |
2007 |                 a = a.subcommand(::from_yaml(sc_yaml));
     |                                    ^^^^^^^^^ not found in the crate root

error[E0106]: missing lifetime specifier
  --> /Users/rain/.cargo/git/checkouts/clap-78dbe9b58f9073fe/9399174/src/mkeymap.rs:45:16
   |
45 | impl PartialEq<&str> for KeyType {
   |                ^ expected lifetime parameter

error: aborting due to 2 previous errors

Some errors occurred: E0106, E0425.
For more information about an error, try `rustc --explain E0106`.
error: Could not compile `clap`.
warning: build failed, waiting for other jobs to finish...
error: build failed

There is a hint for how to upgrade to yaml-rust v4:
clap-rs/clap@8a7ac8f

[doitian]

Maybe we can just get rid of YAML. I prefer declaring the options just in Rust. Hey, @zhangsoledad, what's your opinion?

[driftluo]

untrusted crate: we need to wait for this libp2p/rust-libp2p#674 of libp2p, wait substrate.
smallvec crate: we can upgrade jsonrpc-http-server to 9.0
rust-yaml crate: wait clap 3.0

I have seen many libraries that can be upgraded. Consider upgrade them all at once?
such as env_log, parking_lot, crossbeam-channl

[doitian]

#35 is going to add the outdated dependencies badge, here is the scan result:

https://deps.rs/repo/github/nervosnetwork/ckb

[doitian]

Will create separate issue for each crate