Minimp3 has a security vunerability

[dvdsk]

https://github.com/RustAudio/rodio/security/dependabot/2

Impact on rodio: low
Our default is symphonia which has no such vulnerabilities.

Possible resolutions

• remove minimp3, symphonia covers all use-cases. The only reason to keep minimp3 is licensing
• fix minimp3 by removing its dependency on slice-ring-buffer. Note I have an old fork of minimp3 which implements seeking. Might be worth fixing it there and then adding seeking support to minimp3 in rodio: https://github.com/dvdsk/minimp3-rs

[roderickvd]

I vote for removing minimp3. Any community effort is better spent on improving pure Rust Symphonia than reviving C-based minimp3.

[dvdsk]

https://github.com/germangb/minimp3-rs

Minimp3 is maintained again and the issue is on their agenda. Lets wait for fix.

[roderickvd]

The recent maintainer has added in germangb/minimp3-rs#51:

Caution

This crate is not recommended for new projects due to multiple memory
unsoundness issues and the availability of mature, safe Rust alternatives.
Consider using fully Rust-based libraries instead, such as:

• symphonia
• nanomp3

So maybe move to nanomp3.

[dvdsk]

I vote for removing minimp3. Any community effort is better spent on improving pure Rust Symphonia than reviving C-based minimp3.

I agree with this now. Lets just rip it out.