Feature request: Evaluate Cargo.toml #153
Comments
|
The main way I think we'll end up interacting with Cargo.toml files is via Otherwise the scenarios where what you're describing can happen seem... pretty unusual. Here are a few I can think of:
Have you actually encountered any of these (or something similar) in practice? Otherwise I feel like trying to calculate all of the potential outcomes where you might end up with a vulnerable crate can't be done without duplicating Cargo's resolution logic or linking Cargo in as a library, the latter of which would significantly increase build times. |
|
I haven't encountered any of them, but they don't all seem so unlikely as to be not worth worrying about. I think that I would say that this is probably worth leaving on the back burner until such a library exists (maybe the Cargo folks would be willing to factor it out into a crate?). Once that happens, it's probably a small enough amount of work that it's worth it. Before that, I agree that the work is probably not worth it. I also agree that linking Cargo as a library isn't worth it. |
|
One way we could potentially consume Cargo.toml is via |
While reading
Cargo.lockis straightforward, one could easily have aCargo.tomlfile that would allow semver resolution to pick a vulnerable version of a crate even ifcargodidn't happen to pick that version in practice. It'd be cool ifcargo auditcould consumeCargo.tomland enumerate the set of every possibly valid choice of crate versions and emit a warning if any of them have known vulnerabilities. In response to this, the author could tighten the specification of which crate version is required.The text was updated successfully, but these errors were encountered: