Our great sponsors
-
cargo-supply-chain
Gather author, contributor and publisher data on crates in your dependency graph.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Another mentioned https://github.com/crev-dev/cargo-crev but it seems like coverage isn't perfect and some versions of libraries covered by it are somewhat old.
cargo supply-chain to see your attack surface for supply chain attacks
cargo crev and cargo vet for reviewing dependencies and using reviewed versions
cargo deny for fetching crates only from trusted sources, blacklisting crates, etc.
Your actions will depend on your specific risk factors/tolerances. If you want to protect against a compromised or turned-malicious crates.io, then vendoring or having your own mirror are the only real alternatives. But that's a decent amount of work for a stunningly unlikely problem.
dust (https://github.com/bootandy/dust) made in Rust of course ;)