greater supply chain attack risk due to large dependency trees?

1. cargo-crev

   1 57 2,201 7.2 Rust

   A cryptographically verifiable code review system for the cargo (Rust) package manager.

   

   You're probably thinking of https://github.com/mozilla/cargo-vet or https://github.com/crev-dev/cargo-crev

2. Stream

   getstream.io featured

   Stream - Scalable APIs for Chat, Feeds, Moderation, & Video. Stream helps developers build engaging apps that scale to millions with performant and flexible Chat, Feeds, Moderation, and Video APIs and SDKs powered by a global edge network and enterprise-grade infrastructure.

   

3. cargo-vet

   2 13 730 6.9 Rust

   supply-chain security for Rust

   

   You're probably thinking of https://github.com/mozilla/cargo-vet or https://github.com/crev-dev/cargo-crev

4. crates.io

   3 673 3,245 10.0 Rust

   The Rust package registry

   

   If we as a community wanted to improve this (which I don't think we do), we can start with increased awareness of dependencies. On crates.io, you can only see the number of dependencies on the third tab of a crate's description. How about we list the number of direct and total dependencies on the metadata sidebar?

5. cargo-supply-chain

   4 21 331 5.2 Rust

   Gather author, contributor and publisher data on crates in your dependency graph.

   

   Shameless plug: https://github.com/rust-secure-code/cargo-supply-chain shows the supply chain attack surface for your Rust project.

6. advisory-db

   5 37 997 9.4

   Security advisory database for Rust crates published through crates.io

   

   cargo-audit only checks for known issues reported to a vulnerability database.

7. rfcs

   6 690 6,214 9.1 Markdown

   RFCs for changes to Rust

   

   Also Rust should get a way to embed dependencies versions directly in your binary (basically the content of your Cargo.lock).

Suggest a related project