Cargo.toml dependencies security best practices

Are there any guidelines or best practices how to audit/review dependencies and especially dependencies of dependencies?

I’ve just watched “Analysis of an Exploited NPM Package || Jarrod Overson”: https://www.youtube.com/watch?v=2cyib2MgvdM – it’s a quick presentation that made me think whether and how relevant it is for Rust and cargo/crates.io since both cargo and npm share the same/similar dependency versioning scheme and capabilities.

1 Like

If you’re asking to audit dependencies for security vulnerabilities, you may want to have a look at cargo-audit. If not, then please clarify what you mean by audit/review dependencies, since not everyone wants to watch the whole presentation for that matter.

1 Like

You may be interested in cargo-review-deps, a project from Ferrous Systems that helps you to review changes in your dependencies when you run cargo update.

1 Like

You can review your dependencies, and share your results with the community, using cargo-crev

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.