anymap dependency is unmaintained (RUSTSEC-2021-0065)

[repi]

The anymap dependency in liquid-core triggers a RUSTSEC-2021-0065 advisory as it is unmaintained and latest version has a unreleased soundness issue.

13 │ anymap 0.12.1 registry+https://github.com/rust-lang/crates.io-index
   │ ------------------------------------------------------------------- unmaintained advisory detected
   │
   = ID: RUSTSEC-2021-0065
   = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0065
   = The `anymap` crate does not appear to be maintained, and the most recent
     published version 0.12.1 includes a soundness bug. This has been
     [fixed](https://github.com/chris-morgan/anymap/pull/32) a few years ago, but
     was never released.
   = Announcement: https://github.com/chris-morgan/anymap/issues/37
   = Solution: No safe upgrade is available!
   = anymap v0.12.1
     └── liquid-core v0.21.3
         ├── liquid v0.21.5
         │   └── (build) tract-linalg v0.12.5
         │       └── tract-core v0.12.5
         │           ├── tract-hir v0.12.5
         │           │   ├── tract-onnx v0.12.5

Possible to replace the dependency? Likely not critical in the short term though but would be nice to not have to suppress the advisory.

[epage]

Thanks! That is disappointing that this crate has gone unmaintained. If its ok, I'm going to wait a little bit to see what others migrate to (whether anymap2 is any better or something else).

[repi]

Thanks, np

[chaaz]

@epage Any word on this? anymap2 seems like the best bet, I guess. The soundness issue there is fixed, and it seems mostly backwards-compatible, sans some ergonomic hit that I can't tell if it will affect liquid-rust. I agree w/ repi that's there's no pressure here, just curious.

[epage]

Sure, I'll go ahead and switch over. Looks like I exposed it in a public API, even though it didn't need it.