chore: Fix cargo audit warnings

[mrnaveira]

Problem

Currently, cargo-audit reports 9 warnings in our dependencies:

Some of these are false positives or unavoidable due to us already using the latest available versions.

Updating the rest involves non-trivial work, as they introduce breaking changes. These changes need to be rolled out smoothly.

List of affected dependencies

• sqlx: Needs to be upgraded to version 0.8.x, which introduces breaking changes.
• reqwest: Needs to be upgraded to version 0.12.x. Also results in breaking changes.
• Multiple unmaintained crates with known vulnerabilities:
  • web3
  • atty
  • derivative
    We need to evaluate and migrate to alternative crates where possible.
• ethcontract-rs: This is a repository within our organization, so we can directly fix the transitive dependency issues in its latest version.
• prometheus: We are already on the latest version (0.13.4). We should update as soon as a new release becomes available.

[squadgazzz]

I see traces of the dependency bot, which was disabled for some reason https://github.com/cowprotocol/services/commits?author=dependabot%5Bbot%5D

[Grinsven]

cargo-audit CI integration is now active in #3823. All dependencies requiring non-trivial upgrades are excluded in .cargo/audit.toml until they can be addressed. The config references this issue for tracking.

Excluded advisories cover sqlx (RUSTSEC-2024-0363), atty (RUSTSEC-2024-0375, RUSTSEC-2021-0145), derivative (RUSTSEC-2024-0388), and 10 additional vulnerabilities in transitive dependencies. Each exclusion documents the required upgrade version or migration path.

When dependencies are upgraded per the checkboxes in this issue, the corresponding RUSTSEC IDs should be removed from .cargo/audit.toml to ensure CI catches any regressions.