Cargo.toml dependencies security best practices

Are there any guidelines or best practices how to audit/review dependencies and especially dependencies of dependencies?

I’ve just watched “Analysis of an Exploited NPM Package || Jarrod Overson”: – it’s a quick presentation that made me think whether and how relevant it is for Rust and cargo/ since both cargo and npm share the same/similar dependency versioning scheme and capabilities.

1 Like

If you’re asking to audit dependencies for security vulnerabilities, you may want to have a look at cargo-audit. If not, then please clarify what you mean by audit/review dependencies, since not everyone wants to watch the whole presentation for that matter.

You may be interested in cargo-review-deps, a project from Ferrous Systems that helps you to review changes in your dependencies when you run cargo update.

1 Like

You can review your dependencies, and share your results with the community, using cargo-crev