You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now, cargo crev is heavily oriented towards reviewing the current versions of one’s current dependencies. It would be nice if the user interface provided easy ways to review dependencies before updating or adding them; this would avoid risks of executing possibly-malicious code (via some Cargo command on the modified project) before a review of the new dependencies has been completed.
I don't have any specific ideas of how to improve the situation when doing a full review of a not-yet-added dependency (just taking the latest in the index feels a bit fragile), but cargo crev crate diff could have an option to specify a future version to compare, whereas it currently seems to always diff the locked version against the last-reviewed version.
The text was updated successfully, but these errors were encountered:
Right now,
cargo crevis heavily oriented towards reviewing the current versions of one’s current dependencies. It would be nice if the user interface provided easy ways to review dependencies before updating or adding them; this would avoid risks of executing possibly-malicious code (via some Cargo command on the modified project) before a review of the new dependencies has been completed.I don't have any specific ideas of how to improve the situation when doing a full review of a not-yet-added dependency (just taking the latest in the index feels a bit fragile), but
cargo crev crate diffcould have an option to specify a future version to compare, whereas it currently seems to always diff the locked version against the last-reviewed version.The text was updated successfully, but these errors were encountered: