Add security advistory for fast-float.

[Alexhuszagh]

fast-float is currently unmaintained and contains undefined behavior in checking the length of the input aldanor/fast-float-rust#28. Although a patch was implemented and merged, no release was published and there has been no communication by the author in over 3 years.

In addition, there's also potential unsoundness, due to the use of many functions that are non-local safety guarantees marked as safe, assuming the necessary safety guarantees have been met by the caller. The simplest example is in AsciiStr::first, however, this is widely used through the repository:

impl<'a> AsciiStr<'a> {
    #[inline]
    pub fn first(&self) -> u8 {
        unsafe { *self.ptr }
    }
}

I've created a fork that publishes the patches for the undefined behavior and also removes the general unsoundness:

• Fixes #28. aldanor/fast-float-rust#29
• Remove all non-local unsafety. Alexhuszagh/fast-float-rust#7
• Ensure checked indexing is used for the power-of-5 table lookup. Alexhuszagh/fast-float-rust#8
• Add miri and fuzz targets to our CI. Alexhuszagh/fast-float-rust#13

[Shnatsel]

Sorry it took a while to get to. Everything here looks good to me. Thank you for publishing a patched fork and filing an advisory!