greater supply chain attack risk due to large dependency trees?

• cargo-crev

  55 2,030 7.9 Rust

  A cryptographically verifiable code review system for the cargo (Rust) package manager.

  

You're probably thinking of https://github.com/mozilla/cargo-vet or https://github.com/crev-dev/cargo-crev

• cargo-vet

  12 596 7.6 Rust

  supply-chain security for Rust

  

You're probably thinking of https://github.com/mozilla/cargo-vet or https://github.com/crev-dev/cargo-crev

• WorkOS

  workos.com sponsored

  The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  

• crates.io

  661 2,796 10.0 Rust

  The Rust package registry

  

If we as a community wanted to improve this (which I don't think we do), we can start with increased awareness of dependencies. On crates.io, you can only see the number of dependencies on the third tab of a crate's description. How about we list the number of direct and total dependencies on the metadata sidebar?

• cargo-supply-chain

  20 311 4.9 Rust

  Gather author, contributor and publisher data on crates in your dependency graph.

  

Shameless plug: https://github.com/rust-secure-code/cargo-supply-chain shows the supply chain attack surface for your Rust project.

• advisory-db

  37 856 9.2

  Security advisory database for Rust crates published through crates.io

  

cargo-audit only checks for known issues reported to a vulnerability database.

• rfcs

  666 5,700 9.8 Markdown

  RFCs for changes to Rust

  

Also Rust should get a way to embed dependencies versions directly in your binary (basically the content of your Cargo.lock).

Suggest a related project