for #7947 we want to prune our dependency tree again. mainly this means:

• remove dublicates, where possible
• cargo audit currently identifies 13 dependency that are vulnerable, 3 of which have been yanked.
  • block-cipher is unmaintained - which we pull in via libp2p, through chacha20poly1305 (which has an updated version not depending on block-cipher), which is a dependency of snow, for which there is no update yet. Required action:
    • update snow to use latest chacha20poly1305, then mcginty/snow@ec32cfa#diff-2e9d962a08321605940b5a657135052fbcef87b5e360662bb527c96d9a615542
    • need a new release of snow.
    • update libp2p-noise to use latest snow. - this might not be necessary if snow can update on a patch-level
  • difference is unmaintained, we are pulling it in through sp-state-machine's dependency .pretty_assertions. Unfortunately, it appears that pretty_assertions is also not maintained anymore (last release and PR merge was Feb 2019, multiple PRs pending since, no updates). Secondly, difference is pullled in from node-cli via assert_cmd. Fortunately, it is only a dev-dependency in both cases. No action required.
  • We are pulling in the unmaintained failure-crate via jsonrpc-client-transports (via jsonrpc-core-client), new versions have been issues (v17), that do not depend on failure anymore. Action:
    • upgrade to latest jsonrpc-client. Bump jsonrpc-core-client from 15.1.0 to 17.0.0 #7938
  • memmap 0.7.0, needed by parity-db 0.1.2, is not maintained anymore. But a fork and drop-in-replacement seems to exist: memmap2. Required actions:
    • update parity-db to use memmap2, Update Dependencies, switch memmap to memmap2  parity-db#17
    • release a new version
    • use that version in substrate instead.
  • net2 0.2.35 is not maintained anymore. Recommendation is to use socket2 instead. It isn't 100% clear but seems that an update ot jsonrpc will also cover this one.
    • confirm upgrading jsonrpc will fix this.