New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Evaluate Cargo.toml #153
Comments
The main way I think we'll end up interacting with Cargo.toml files is via Otherwise the scenarios where what you're describing can happen seem... pretty unusual. Here are a few I can think of:
Have you actually encountered any of these (or something similar) in practice? Otherwise I feel like trying to calculate all of the potential outcomes where you might end up with a vulnerable crate can't be done without duplicating Cargo's resolution logic or linking Cargo in as a library, the latter of which would significantly increase build times. |
I haven't encountered any of them, but they don't all seem so unlikely as to be not worth worrying about. I think that I would say that this is probably worth leaving on the back burner until such a library exists (maybe the Cargo folks would be willing to factor it out into a crate?). Once that happens, it's probably a small enough amount of work that it's worth it. Before that, I agree that the work is probably not worth it. I also agree that linking Cargo as a library isn't worth it. |
One way we could potentially consume Cargo.toml is via |
While reading
Cargo.lock
is straightforward, one could easily have aCargo.toml
file that would allow semver resolution to pick a vulnerable version of a crate even ifcargo
didn't happen to pick that version in practice. It'd be cool ifcargo audit
could consumeCargo.toml
and enumerate the set of every possibly valid choice of crate versions and emit a warning if any of them have known vulnerabilities. In response to this, the author could tighten the specification of which crate version is required.The text was updated successfully, but these errors were encountered: