Closed scouten-adobe closed 3 weeks ago
For some context, we already have Dependabot in place for actionable advisories.
I'm a bit weary of adding cargo deny check advisories
to the CI as we don't necessarily have the time to maintain a list of ignores and will inevitably just become an ever-growing list that is slowing down PRs.
That being said, some of the unmaintained/unsound crates are direct dependencies of json-ld
. @timothee-haudebourg do you have some form of dependencies scanning in place?
do you have some form of dependencies scanning in place?
Not yet, but I'll setup something.
The ssi crate introduces a number of dependencies on unmaintained or unsound crates as defined in this CI run.
These dependencies are easily detected by using a crate such as
cargo deny
as part of your CI process.Happy to contribute this as a PR if you'd welcome it.