Stream: wg-secure-code

Topic: Warning when using yanked crate?

RalfJ (Dec 08 2019 at 08:50, on Zulip):

I read a proposal somewhere that cargo could warn when a build involves a yanked crate. That sounds quite useful, doesn't it? This comment says

I think I have mitigated some of the concern by issuing warnings on yanked dependencies.

but I am not sure if that applies only to install or also to build. Does anyone know more here?

RalfJ (Dec 08 2019 at 08:51, on Zulip):

Looks like it is for install only:

Tony Arcieri (Dec 13 2019 at 05:09, on Zulip):

Linting for yanked crates seems like something RustSec could do, especially if it looked at the local copy of the index...

Tony Arcieri (Dec 13 2019 at 05:10, on Zulip):

really good idea!

Tony Arcieri (Dec 13 2019 at 05:17, on Zulip):

Last update: Apr 06 2020 at 03:20UTC