cargo-dephell
Cargo dephell analyzes the third-party dependencies of a Rust workspace (by mimoo)
cargo-geiger
Detects usage of unsafe Rust in a Rust crate and its dependencies. (by geiger-rs)
Our great sponsors
| cargo-dephell | cargo-geiger | |
|---|---|---|
| 2 | 30 | |
| 46 | 1,310 | |
| - | 1.8% | |
| 1.8 | 5.4 | |
| 12 months ago | 10 days ago | |
| HTML | Rust | |
| - | GNU General Public License v3.0 or later |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cargo-dephell
Posts with mentions or reviews of cargo-dephell.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-11-18.
-
Backdooring Rust crates for fun and profit
That's why I started https://github.com/mimoo/cargo-dephell and https://github.com/diem/whackadep btw, to try to get a sense of the risk in our Rust dependencies. The second one is a web UI that can update periodically and shows you what's up with your dependencies. If there's a new update, it'll tell you if it affected a `build.rs` file (which triggers a warning). I wanted to add more rules, like the ones mentioned in the article, but never had the time to do it.
-
Is the crate dependency becoming a problem?
Check whackadep and cargo-dephell: https://github.com/mimoo/cargo-dephell and https://github.com/diem/whackadep
cargo-geiger
Posts with mentions or reviews of cargo-geiger.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-10-25.
-
Was Rust Worth It?
Instead of looking at the crates themselves, you might want to check your (or others') Rust application with https://github.com/rust-secure-code/cargo-geiger to get a sense of effective prevalence. I also dispute that the presence of unsafe somewhere in the dependency tree is an issue in itself, but that's a different discussion that many more had in other sub-threads.
-
Found a language in development called Vale which claims to be the safest AOT compiled language in the World (Claims to beSafer than Rust)
There's still plenty. Run cargo geiger on any of your projects and see for yourself.
-
Question Omnibus: Dependency Fingerprinting, Unsafe Rust, and Memory Safety
On point 2, the answer is cargo geiger, and judging how much memory safety you need for a given project.
- pliron: An extensible compiler IR framework, inspired by MLIR and written in safe Rust.
-
[Discussion] What crates would you like to see?
You can use cargo-geiger or cargo-crev to check for whether people you trusted (e.g. u/jonhoo ) trust this crate.
-
How do you choose what crate you will use?
The amount of unsafe code is also a factor. cargo geiger is a handy tool for measuring it.
-
Seems legit
We have cargo-geiger that does just that.
-
Rosenpass – formally verified post-quantum WireGuard
For that, I believe you need to use cargo-geiger[0] and audit the results.
[0] - https://github.com/rust-secure-code/cargo-geiger
-
Hey Rustaceans! Got a question? Ask here (6/2023)!
cargo-geiger is a subcommand you can install which will check all the crates in your dependency graph for unsafe blocks and print out a report (which also shows if a crate has #![forbid(unsafe_code)] or not). You can then inspect those crates' sources to judge their use of unsafe for yourself. I don't think it has a "check" mode that simply errors if your dependency graph contains unsafe though, it's more about just collecting that information.
-
[CCS Proposal] Preliminary research on rewriting Monero node in Rust
wrt to memory safety, keep in mind that many rust crates use "unsafe" internally. There are tools available that can find these such as cargo-geiger. So I would suggest to avoid unsafe deps as much as possible. Since they cannot be avoided entirely, it is a good idea to keep a list of unsafe deps.
What are some alternatives?
When comparing cargo-dephell and cargo-geiger you can also consider the following projects:
cargo-udeps - Find unused dependencies in Cargo.toml
bacon - background rust code check
glog - Leveled execution logs for Go
ziglings - Learn the Zig programming language by fixing tiny broken programs.
bmrng - An async MPSC request-response channel for Tokio
nomicon - The Dark Arts of Advanced and Unsafe Rust Programming
mold - Mold: A Modern Linker 🦠
miri - An interpreter for Rust's mid-level intermediate representation
orz - a high performance, general purpose data compressor written in the crab-lang
dlfile - For dl the file
pliron - Programming Languages Intermediate Representation
bstr - A string type for Rust that is not required to be valid UTF-8.