Please run `cargo deny` or similar against ssi crate in CI

spruceid / ssi

Core library for decentralized identity.

https://spruceid.dev

Apache License 2.0

190 stars 60 forks source link

Please run `cargo deny` or similar against ssi crate in CI #599

Closed scouten-adobe closed 3 weeks ago

scouten-adobe commented 1 month ago

The ssi crate introduces a number of dependencies on unmaintained or unsound crates as defined in this CI run.

These dependencies are easily detected by using a crate such as cargo deny as part of your CI process.

Happy to contribute this as a PR if you'd welcome it.

sbihel commented 1 month ago

For some context, we already have Dependabot in place for actionable advisories.

I'm a bit weary of adding cargo deny check advisories to the CI as we don't necessarily have the time to maintain a list of ignores and will inevitably just become an ever-growing list that is slowing down PRs.

That being said, some of the unmaintained/unsound crates are direct dependencies of json-ld. @timothee-haudebourg do you have some form of dependencies scanning in place?

timothee-haudebourg commented 3 weeks ago

do you have some form of dependencies scanning in place?

Not yet, but I'll setup something.