-
Notifications
You must be signed in to change notification settings - Fork 992
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit exposure to dependencies weaknesses #2026
Comments
Just putting this here for some context. 😱 (Via https://github.com/sfackler/cargo-tree)
|
Lord have mercy. |
Different view on this (via https://github.com/kbknapp/cargo-outdated) -
|
Ouch.... Could be interesting to see per package only without internal dependencies also. e.g.:
|
I was thinking through this a bit and when you say
I think the ultimate answer here is to simply check in and use the So if there is more work to be done on this issue, my question would be, what exactly is the work to be done? Perhaps this research spike is closed and the take home is #2040 being open? |
I think we've all had this in mind for quite a while but this was a direct reminder (widely used npm package with newly injected malicious code):
dominictarr/event-stream#116
I don't think we should worry about auditing every single of our dependencies and Rust does a good job at protecting us from some of these attacks. At this stage I'm also not too worried about crates.io getting hacked. But I do think we should at least make sure every single of our dependency is pinned to a specific version.
The text was updated successfully, but these errors were encountered: