Stream: wg-secure-code

Topic: Warning when using yanked crate?


RalfJ (Dec 08 2019 at 08:50, on Zulip):

I read a proposal somewhere that cargo could warn when a build involves a yanked crate. That sounds quite useful, doesn't it? This comment says

I think I have mitigated some of the concern by issuing warnings on yanked dependencies.

but I am not sure if that applies only to install or also to build. Does anyone know more here?

RalfJ (Dec 08 2019 at 08:51, on Zulip):

Looks like it is for install only: https://github.com/rust-lang/cargo/commit/5f616eb18e979650beb50bfb955dc4213137a234

Tony Arcieri (Dec 13 2019 at 05:09, on Zulip):

Linting for yanked crates seems like something RustSec could do, especially if it looked at the local copy of the crates.io index...

Tony Arcieri (Dec 13 2019 at 05:10, on Zulip):

really good idea!

Tony Arcieri (Dec 13 2019 at 05:17, on Zulip):

https://github.com/RustSec/cargo-audit/issues/170

Last update: Jan 28 2020 at 01:45UTC