Vulnerability in cbindgen due to dependency on an old clap release

[NuLL3rr0r]

Simply running the following produces:

$ cargo audit

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── clap 3.2.25
    └── cbindgen 0.26.0
        └── mylib 0.0.0-git
            └── myguiapp 0.0.0-git

warning: 1 allowed warning found

It seems newer clap won't rely on atty. And also the advisory URL states:

atty is Unmaintained
A Pull Request with a fix has been provided over a year ago but the maintainer seems to be unreachable.

Last release of atty was almost 3 years ago.

Please bump to a version without dependency on atty.

[NuLL3rr0r]

According to clap's changelog v4.0.27 is the first release without atty as a dependency:

4.0.27 - 2022-11-24

Features
- Have Arg::value_parser accept Vec<impl Into<PossibleValue>>
- Implement Display and FromStr for ColorChoice

Fixes
- Remove soundness issue by switching from atty to is-terminal

[diligence5087]

Duplicate of #880 .