search

rust-secure-code / cargo-supply-chain

Gather author, contributor and publisher data on crates in your dependency graph.
Apache License 2.0
315 stars 18 forks source link

Dependencies from other platforms are reported as "not from crates.io" #5

Closed Shnatsel closed 3 years ago

Shnatsel commented 3 years ago

The output of cargo supply-chain on itself reports this:

Cannot audit the following crates because they are not from crates.io:
 - chunked_transfer
 - const_fn
 - discard
 - itoa
 - matches
 - percent-encoding
 - semver-parser
 - spin
 - stdweb-internal-runtime
 - unicode-xid
 - untrusted
 - version_check
 - wasm-bindgen-shared
 - winapi-i686-pc-windows-gnu
 - winapi-x86_64-pc-windows-gnu

I doubt they all come from git repos or some such. This is probably a bug.

See also #4