Some improvements (RegexSet, dependabot, SPDX license id, crusty linter, and more)

[NoNameForMee]

Changes included here is:

• Add dependabot.yml to help keep dependencies and GitHub actions updated. And commits by dependabot updating these as well.. (The bot creates Pull Requests which can be merged automatically with a simple comment response, @dependabot merge, if the CI/CD jobs succeed).
• Add crusty lint and fix some of its suggested improvements.
• Add bash script to avoid empty banners (issue 12).
• Update cef.rs based on official Spotify build, converted to rust using updated bindgen-cli.
• Change lib.rs to use RegexSet instead of looping over single Regex, as per https://docs.rs/regex/latest/regex/struct.RegexSet.html.
• Add appropriate SPDX-License-Identifier: GPL-3.0-or-later to each file (excluding cef.rs which had BSD-3-Clause license), as per https://spdx.dev/ids/ which is also an official ISO/IEC 5962:2021 standard.
• Add license to the Cargo.toml file, and explicitly forbid regex < 1.5.5 as to avoid https://blog.rust-lang.org/2022/03/08/cve-2022-24713.html.

---

I known this pull request got rather large and covered a lot of different things, feel free to squash the various commits into one single merge commit or simply discard this in it entirety. (I had one PR previously in #81 covering just Dependabot, but this was not merged).

[github-advanced-security]

You have successfully added a new clippy configuration .github/workflows/rust-clippy.yml:rust-clippy-analyze. As part of the setup process, we have scanned this repository and found no existing alerts. In the future, you will see all code scanning alerts on the repository Security tab.

[ZeroDot1]

Hi @abba23 Please accept this PR, it looks very good.

[abba23]

First of all, thanks for taking the time creating this pull request and sorry for being extremely slow to respond to it. As long as this project is working for me personally, I kind of struggle to find the motivation and time deal with proposed changes like this.

• Add dependabot.yml to help keep dependencies and GitHub actions updated. And commits by dependabot updating these as well.. (The bot creates Pull Requests which can be merged automatically with a simple comment response, @dependabot merge, if the CI/CD jobs succeed).

I'm not convinced that Dependabot would be all that useful here to be honest. I'd much rather just manually update dependencies when they actually break and make sure everything is working again instead of cluttering up the repo's history with mostly unnecessary commits that can potentially break functionality (beyond obvious build failures). Security issues in outdated dependencies shouldn't really be relevant, since everything is just running locally anyway.

• Add bash script to avoid empty banners (issue 12).

Utility scripts like that aren't really something I want to maintain. There are just too many different edge cases (e.g. installation paths and Spotify versions) to consider. Making sure it's working for everyone and stays that way in the future would be time-consuming and the complaints when it inevitably doesn't at some point would be annoying.

• Update cef.rs based on official Spotify build, converted to rust using updated bindgen-cli.

I'd also rather just keep this as it is until it breaks. No reason to introduce changes while everything is still working and make that file even bigger than it already is.

• Change lib.rs to use RegexSet instead of looping over single Regex, as per https://docs.rs/regex/latest/regex/struct.RegexSet.html.

I've just made this change myself while checking if serde_regex can also parse to RegexSets directly. Thanks for the hint!

• Add crusty lint and fix some of its suggested improvements.
• Add appropriate SPDX-License-Identifier: GPL-3.0-or-later to each file (excluding cef.rs which had BSD-3-Clause license), as per https://spdx.dev/ids/ which is also an official ISO/IEC 5962:2021 standard.

The linter fixes and SPDX identifiers seem like reasonable changes with no risk of breaking anything. Probably something for a separate pull request though.

• Add license to the Cargo.toml file, and explicitly forbid regex < 1.5.5 as to avoid https://blog.rust-lang.org/2022/03/08/cve-2022-24713.html.

I don't mind adding this either, even though, as I understand it, the only "risk" of allowing earlier versions would be someone who has already compromized your machine being able to freeze Spotify by adding a malicious regex to the config file.