epage
commented
2 years ago FYI I've updated your examples to work with cargo update as cargo update won't upgrade from 0.1 to 0.2 but will upgrade 0.1.0 to 0.1.2.
In way this is a user-driven rolling releases which is an intriguing idea. As this is security focused and I know I'm not the greatest in analyzing attack vectors and solutions, I would be interested in hearing from other security people on alternatives, downsides, etc.
For example, what if a security fix is made available, how do we make sure workflows around this feature aren't set to delay people getting it?
RCasatta
Problem
Supply chain attacks with malicious packages downloaded via dependencies or indirect dependencies are exploding in the NPM ecosystem.
Auditing of dependencies with tools like
cargo crevandcargo vetseems necessary for packages with a high level of security requirement, however, those tools are not widely used yet, and directly auditing dependencies in small teams could be a task too demanding.Proposed Solution
The proposal is an option for
cargo updateto update all dependencies up to a certain date in the past to avoid just released packages.The rationale is that malicious packages are more likely to stay undetected near the release date but after a while they are spotted.
Notes
Example:
my project has in Cargo.toml
And a Cargo.lock with the same version.
coollib 0.1.2 is released 30 days ago. coollib 0.1.3 is released yesterday.
I would like to use something like:
cargo update --older 10dAnd the Cargo.lock will update to coollib 0.1.2 because 0.1.3 is too recent