Ensuring safety considerations for Rust Crates from the Official Website

Is it possible to ensure safety when utilising Rust crates, considering that they may be developed by individual contributors and featured on the official Rust crates website? Are these crates typically third-party contributions, and can their usage be considered secure, taking into account the contributions of all developers involved, without causing any offence?

Anybody can upload any Rust crate on crates.io, including malware, same as with any other package manager like npm or pypi. Crates.io is vetted by https://rustsec.org/ though, which maintains a security vulnerability database and tools that allow you to check your dependencies with ease against the database, like the cargo audit and cargo deny Cargo subcommands.

2 Likes

For additional assurance you can install cargo-crev and start reviewing packages and reading others' reviews before you use them.

3 Likes

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.