GitHub has a nice feature(dependabot) to notify about vulnerabilities in crates which you use. I usually like to be proactive and take care of that.
However, I stumbled on the issues that sometimes the vulnerability is way-way upstream.
For example, a critical vulnerability in traitobject exist (NVD - CVE-2020-35881). We don't use it directly, but rather we got it via following dependency chain:
What do you do in such case? Do you fork it/fix it and and do [patch] to override dependency? Per my understanding it should work.
However, I see only 3 (public) forks of traitobject for 2.5M of logrs downloads which leads me to question whether other people do it like that.