Polyglot for Maven VS cargo-geiger

And you don't even need to use XML with Polyglot Maven

https://github.com/takari/polyglot-maven

If you prefer the shorter alternative, you might want to use the Polyglot XML extension https://github.com/takari/polyglot-maven/tree/master/polyglot-xml

Here you go: https://github.com/takari/polyglot-maven

Fun fact, POM files can be in formats other than XML (although I have no idea if IJ would tolerate such shenanigans): https://github.com/takari/polyglot-maven/blob/polyglot-0.4.8/polyglot-yaml/src/test/resources/snakeyaml/pom.yaml

There is a certain argument to be made for user ergonomy. Many developers are drawn to Gradle and friends, or to work with polyglot Maven, because they support a more concise syntax. This is not necessarily a contradiction with Maven's Goals!

I wished they‘d finally embrace polyglot maven https://github.com/takari/polyglot-maven. pom.yaml rule the world.

It seems merely adding a file to the .mvn directory will do as you wish: https://github.com/takari/polyglot-maven#usage

I have avoided that road because it's one more thing that is a snowflake in the very area where I don't want to blazing trails. But I have personally tried their approach before and can confirm it does work as advertised. I can't recall if IJ lost its mind over pulling a stunt like that, but arguably if it did, then filing a YouTrack is an appropriate next step

Instead of looking at the crates themselves, you might want to check your (or others') Rust application with https://github.com/rust-secure-code/cargo-geiger to get a sense of effective prevalence. I also dispute that the presence of unsafe somewhere in the dependency tree is an issue in itself, but that's a different discussion that many more had in other sub-threads.

There's still plenty. Run cargo geiger on any of your projects and see for yourself.

On point 2, the answer is cargo geiger, and judging how much memory safety you need for a given project.

You can use cargo-geiger or cargo-crev to check for whether people you trusted (e.g. u/jonhoo ) trust this crate.

The amount of unsafe code is also a factor. cargo geiger is a handy tool for measuring it.

We have cargo-geiger that does just that.

For that, I believe you need to use cargo-geiger[0] and audit the results.

[0] - https://github.com/rust-secure-code/cargo-geiger

cargo-geiger is a subcommand you can install which will check all the crates in your dependency graph for unsafe blocks and print out a report (which also shows if a crate has #![forbid(unsafe_code)] or not). You can then inspect those crates' sources to judge their use of unsafe for yourself. I don't think it has a "check" mode that simply errors if your dependency graph contains unsafe though, it's more about just collecting that information.

wrt to memory safety, keep in mind that many rust crates use "unsafe" internally. There are tools available that can find these such as cargo-geiger. So I would suggest to avoid unsafe deps as much as possible. Since they cannot be avoided entirely, it is a good idea to keep a list of unsafe deps.