octorust depends on ring 0.16, which is no longer receiving security updates

[eric-seppanen]

RustSec reports all versions of ring before 0.17.12 as vulnerable to https://rustsec.org/advisories/RUSTSEC-2025-0009. Though this particular issue may not be critical (and it's unclear whether 0.16 is really affected), the author has stated "Nobody should be using 0.16.20 any longer." (link)

It seems pretty clear that ring 0.16 is unmaintained, which is a bad property for a cryptography library. There haven't been any 0.16 releases since 2021.

octorust depends on ring 0.16 both as a direct dependency, and transitively via jsonwebtoken 8.x.

[augustuswm]

These are currently being updated in #99 , and I am planning release by early next week.

[augustuswm]

Version 0.10.0 of octorust has been released to crates.io. It contains the dependency updates indicated in #101