Is it possible to ensure safety when utilising Rust crates, considering that they may be developed by individual contributors and featured on the official Rust crates website? Are these crates typically third-party contributions, and can their usage be considered secure, taking into account the contributions of all developers involved, without causing any offence?
Anybody can upload any Rust crate on crates.io, including malware, same as with any other package manager like npm or pypi. Crates.io is vetted by https://rustsec.org/ though, which maintains a security vulnerability database and tools that allow you to check your dependencies with ease against the database, like the
cargo audit and
cargo deny Cargo subcommands.
For additional assurance you can install
cargo-crev and start reviewing packages and reading others' reviews before you use them.
This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.