Protection/mitigation of SCA's with cargo

marlez · May 15, 2026, 3:09pm

As SCA's keep on surfacing left and right, with quite a few attributable to a perfectly sane practice of preinstall hooks enabled by default in npm et al; is cargo in any way more secure, by design and/or surface area it covers?

I do not remember seeing any "hooks" anywhere near the Rust's package management toolkit, at least not in the traditional sense of the word; yet any crate that wishes to "preinstall" anything with a build.rs instead, can still do so - can it not?

kpreid · May 15, 2026, 3:45pm

There are various proposals in progress, such as adding sandboxing (but this needs further design work and somewhat conflicts with what a build.rs should be able to do) and adding a min-publish-age feature (but this depends on somebody spotting the attack).

Topic		Replies	Views
How does crates.io differ from npm community	51	8679	December 6, 2018
Yet another npm supply-chain attack. Is Cargo any safer? community	59	4727	December 29, 2025
How safe is it to build Rust code in the wild help	2	288	December 30, 2024
How safe is crates.io? community	10	2877	March 28, 2023
Why does rust have to build crate instead of download already built binaryies? help	11	834	January 17, 2025

Protection/mitigation of SCA's with cargo

Related topics