cargo-vet
crates.io
cargo-vet | crates.io | |
---|---|---|
12 | 662 | |
598 | 2,802 | |
5.7% | 1.2% | |
7.6 | 10.0 | |
about 1 month ago | 6 days ago | |
Rust | Rust | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cargo-vet
-
Ferrocene β Rust for Critical Systems
For supply chain security, you might be interested in cargo-vet[0], a tool for coordinating and requiring manual reviews of open source dependencies. Both Mozilla and Google[1] have started publishing their audits.toml files, which are a machine-readable file describing what source code reviews they have performed.
[0] https://github.com/mozilla/cargo-vet
[1] https://opensource.googleblog.com/2023/05/open-sourcing-our-...
-
Rust security scanning options
there is also cargo-vet for manual auditing of the source code of the crates, which is not something that can be done automatically. Quite a few companies and orgs use it now like Mozilla, Google, Bytecode Alliance, us (Embark Studios), ISRG, zcash etc. And believe its usage will expand significantly going forward with corporate users and security sensitive projects/orgs.
-
NPM repository flooded with 15,000 phishing packages
If you don't know the author, signatures do nothing. Anybody can sign their package with some key. Even if you could check the author's identity, that still does very little for you, unless you know them personally.
It makes a lot more sense to use cryptography to verify that releases are not malicious directly. Tools like crev [1], vouch [2], and cargo-vet [3] allow you to trust your colleagues or specific people to review packages before you install them. That way you don't have to trust their authors or package repositories at all.
That seems like a much more viable path forward than expecting package repositories to audit packages or trying to assign trust onto random developers.
[1]: https://github.com/crev-dev/crev [2]: https://github.com/vouch-dev/vouch [3]: https://github.com/mozilla/cargo-vet
-
How do regulates companies handle software of unknown Provence (SOUP) when using needed open source crates?
The other approach is https://github.com/mozilla/cargo-vet
- greater supply chain attack risk due to large dependency trees?
- Dozens of malicious PyPI packages discovered targeting developers
-
Best way to protect a project from supply chain attacks?
cargo crev and cargo vet for reviewing dependencies and using reviewed versions
-
Vetting the Cargo
Since the audits are designed to be used at a per project level and contributed directly into the VCS repo (allowing you to using git signing for example) I don't quite understand what additional off-line cryptographic signatures are required here (considering that Cargo's lockfiles already contain a hash of the crate which would prevent the project from getting an altered version of a crate accidentally and that SHA validation is being considered as part of vet as well https://github.com/mozilla/cargo-vet/issues/116).
- Mozilla/cargo-vet β supply-chain security for Rust
- Gitsign
crates.io
-
Create a Custom GitHub Action in Rust
Rust has a rich ecosystem of frameworks and libraries that let you read, parse, and manipulate text files, interact with cloud services and databases, and perform any other job that your project's development workflow may require. And because of its strong typing and tight memory management, you are much less likely to write programs that behave unexpectedly in production.
-
Rust Keyword Extraction: Creating the YAKE! algorithm from scratch
All the code discussed in this article can be accessed through this repository. For integration with existing projects consider using keyword_extraction crate available on crates.io.
-
Migrating a JavaScript frontend to Leptos, a Rust framework
So, be sure to double-check your critical libraries and be sure their alternatives exist in the Rust ecosystem. Thereβs a good chance the crates you need are available in Rust's crates.io repository.
-
Learning Rust: A clean start
The previous section was very simple, this section is also very simple but introduces us to cargo which is Rust's package manager, as a JS dev my mind goes straight to NPM.
-
#2 Rust - Cargo Package Manager
Now, there has to be a place where all these packages come from. Similar to npmjs registry, where all node packages are registered, stored and retrieved, Rust also has something called crates.io where many helpful packages and dependencies are registered.
-
Rust π¦ Installation + Hello World
Before proceeding, let's check https://crates.io/, the official Rust package registry.
-
Underestimating rust for my Project.
The most thrilling aspect has been the joy of writing the backend. It's like every struct, enum, and method in Rust forms this interconnected Multiverse of code , which you can see in crates.io which is best Documentation experience I Ever Had.
-
Top 10 Rusty Repositories for you to start your Open Source Journey
5. Crates.io
-
Project Structure Clarification Coming From Python - With Example
When using crates from eg. crates.io, and also things like std and core
-
Cargo has never frustrated me like npm or pip has. Does Cargo ever get frustrating? Does anyone ever find themselves in dependency hell?
Vendoring your packages was very tedious to even remotely get to work with Cargo. I spent a very long time getting Cargo to work together with cargo-local-registry. We vendor crates from crates.io and a custom internal registry.
What are some alternatives?
cargo-crev - A cryptographically verifiable code review system for the cargo (Rust) package manager.
docs.rs - crates.io documentation generator
W4SP-Stealer - w4sp Stealer official source code, one of the best python stealer on the web [GET https://api.github.com/repos/loTus04/W4SP-Stealer: 403 - Repository access blocked]
plotters - A rust drawing library for high quality data plotting for both WASM and native, statically and realtimely π¦ ππ
git-ts - Git TimeStamp Utility
Cargo - The Rust package manager
gitsign - Keyless Git signing using Sigstore
trunk - Build, bundle & ship your Rust WASM application to the web.
secimport - eBPF Python runtime sandbox with seccomp (Blocks RCE).
gtk4-rs - Rust bindings of GTK 4
security-wg - Node.js Ecosystem Security Working Group
Rocket - A web framework for Rust.