New in `cargo-crev`: discovering alternatives and flagging unmaintained crates

After seeing a question about ranking crates I thought it might be worth pointing out some new features of cargo-crev.

First - it is now possible to flag any crate as unmaintained. Unmaintained crates are not a big deal, so this doesn't do that much, no loud alarm or anything like that . It is purely informative and will show up here and there.

Another, complementary is annotating crate with its alternatives. Looking for alternatives to crate A? cargo crev crate info will display that and more.

Also, you can find crates matching given keyword, sorted by number of reviews:

[I] 11-27 14:39 dpc@futex ~/l/breeze (master)> cargo crev crate search slog
       2 log
       1 slog-term
       1 slog-async
       1 syslog
       0 slog
       0 slog-scope
       0 slog-stdlog
       0 slog-json
       0 slog-envlogger
       0 slog-extra

and also list alternatives to a given crate:

[I] 11-27 22:37 dpc@futex ~/l/c/cargo-crev (master) [130]> cargo crev crate info term
---
package:
  source: "https://crates.io"
  name: term
  version: 0.6.1
details:
  verified: false
  loc: 2262
  geiger-count: 125
  has-custom-build: false
  unmaintained: true
recursive-details:
  verified: false
  loc: 280287
  geiger-count: 2196
  has-custom-build: true
  unmaintained: true
dependencies:
  - source: "https://crates.io"
    name: winapi
    version: 0.3.7
  - source: "https://crates.io"
    name: dirs
    version: 2.0.2
rev-dependencies:
  - source: "path+file:///home/dpc/lab/crev-dev/cargo-crev/cargo-crev"
    name: cargo-crev
    version: 0.13.0
alternatives:
  - source: "https://crates.io"
    name: yansi
  - source: "https://crates.io"
    name: termcolor
  - source: "https://crates.io"
    name: crossterm

Note: these features are still quite new, not many crates have been annotated yet, and there will be many improvements in the future.

I guess a good motivation to try cargo-crev now is: if you have a crate that is an alternative to a more established one - you can help other people discover it, by creating a proof with such annotations.

The aim is to expanding the focus from reviewing crates to becoming the most featureful and handy toolkit for navigating, discovering and judging crates ecosystem, including full code reviews, security issues and advisories. All based on a personalized web of trust architecture at the core of crev.

Cheers! Come join us on matrix or gitter

How do people determine if a crate is maintained or not?

It is purely a judgment call. Sometimes authors put it right into readme, sometimes maintainers are just gone and github issues and prs are pilling up.

I'm trying it right now for the first time. I had to LOL hard while installing since there seems to be a stark mismatch between the mission statement

help you identify dependency-bloat,

and the actual product with a whopping 395 dependencies...

1 Like

:smiley:

I know. cargo-crev includes bunch of other quite heavy tools. geiger, tokei, cargo (the library), reqwest, git, bunch of crypto-libs, so yeah... it got somewhat monstrous in this regard. :smiley: .

On the flip-side - it helps dogfooding. Out of that ~400 deps, 105 have been positively reviewed by someone already, and I don't have to leave the project directory when I want to test new features.

3 Likes