Are there any guidelines or best practices how to audit/review dependencies and especially dependencies of dependencies?
I've just watched "Analysis of an Exploited NPM Package || Jarrod Overson": Analysis of an Exploited NPM Package || Jarrod Overson - YouTube -- it's a quick presentation that made me think whether and how relevant it is for Rust and cargo/crates.io since both cargo and npm share the same/similar dependency versioning scheme and capabilities.
If you're asking to audit dependencies for security vulnerabilities, you may want to have a look at cargo-audit. If not, then please clarify what you mean by audit/review dependencies, since not everyone wants to watch the whole presentation for that matter.
You may be interested in cargo-review-deps, a project from Ferrous Systems that helps you to review changes in your dependencies when you run cargo update.
You can review your dependencies, and share your results with the community, using cargo-crev
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.