Publish zerovec-derive v0.10.4

[Diggsey]

Cargo audit is currently flagging up https://rustsec.org/advisories/RUSTSEC-2024-0346.html which I believe is fixed on master? But not yet published.

[Manishearth]

Yeah, what happened here is that:

• We accidentally published an advisory where zerovec-derive 0.10.3 is included as an affected version (it isn't)
• We haven't merged the bumped cargo.toml versions to main. They exist on ind/zerovec-* tags.
  • @sffc you mentioned you didn't think mergebacks were necessary in our 2.0 transitional state. Do you still hold this opinion? I think we may have also gotten our wires crossed between "making a merge commit" and "merging back cargo.toml changes" since I would have been asking about both.

[Manishearth]

Also fixing the advisory in rustsec/advisory-db#2007

[Manishearth]

PR for a new zerovec version in #5197, but we don't really need it now that the advisory is published?

I'm going to mark this as closed unless tooling stays broken somehow.

[Diggsey]

@Manishearth Thanks!

[thgoebel]

FYI for anyone stumbling upon this: Github's advisory is not yet synced with the updated Rustsec advisory. Github still shows 0.10.4 as the patched version: GHSA-74r5-g7vc-j2v2 (archived)
I assume/hope that their bot will pick it up later...

[sffc]

@sffc you mentioned you didn't think mergebacks were necessary in our 2.0 transitional state. Do you still hold this opinion? I think we may have also gotten our wires crossed between "making a merge commit" and "merging back cargo.toml changes" since I would have been asking about both.

As far as Cargo.toml versions in the repo, they are by definition only snapshot versions. The only real versions are the tagged versions. I don't see the benefit of merging those changes into main.