cargo-audit v0.11: Introducing the `fix` feature, yanked crate detection, and more

栏目: IT技术 · 发布时间: 6年前

内容简介:This post describes the new features in the 0.11 release ofOne of our

cargo-audit is a command-line utility which inspects Cargo.lock files and compares them against the RustSec Advisory Database , a community database of security vulnerabilities maintained by the Rust Secure Code Working Group .

This post describes the new features in the 0.11 release of cargo-audit .

cargo audit fix : automatically update vulnerable dependencies

One of our most requested features (especially by fans of the similar npm audit fix command), the new cargo audit fix subcommand will attempt to automatically update version requirements for vulnerable dependencies to non-vulnerable versions.

Note that this is an experimental new feature which isn't enabled by default. To try it out, install cargo-audit with the following:

$ cargo install cargo-audit --features=fix

This will perform the same audit process as cargo audit initially, and then attempt to apply fixes to your Cargo.toml :

cargo-audit v0.11: Introducing the `fix` feature, yanked crate detection, and more

Under the hood, it uses cargo-edit (as a library) to perform modifications to your Cargo.toml file, using the fixed version requirements listed in the advisory to try to perform an automatic upgrade to a non-vulnerable version of a dependency for each advisory.

Note once more that this is a new, experimental feature and as such it's bound to have bugs. If you're worried, you can use cargo audit fix --dry-run to perform a dry run only. And if you do encounter bugs, please file a bug report .

We'd like to thank Reza Fatahi and Hanif Ariffin for their work in contributing this feature.

Warnings for yanked crates

As you can see in the screenshot above, cargo audit now checks each of the crates in your Cargo.lock file against the crates.io index to determine if any of them have been yanked. If they have, it will emit a warning as per above.

If you'd like for yanked crates to be a hard failure, you can run cargo audit with the -D command-line argument:

$ cargo audit -D

or if you prefer to be more explicit:

$ cargo audit --deny-warnings

Compatibility with the new "V2" format for Cargo.lock

Rust 1.39 shipped support for a new merge-friendly Cargo.lock format .

cargo audit consumes Cargo.lock directly, and while the V2 format change didn't break the core vulnerability-auditing functionality of cargo audit , several minor features regressed because of this, such as displaying dependency trees for vulnerable dependencies.

This release also upgrades to version 4.0 of the cargo-lock crate , which includes full support for the V2 Cargo.lock format and constructs a representation of a lockfile which is the same across the V1 and V2 formats.

If you noticed dependency trees failing to display after upgrading to the V2 Cargo.lock format, they should now be working again!

Thanks for reading, and we hope you enjoy cargo-audit 0.11!


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

成为乔布斯

成为乔布斯

[美] 布伦特·施兰德、[美] 里克·特策利 / 陶亮 / 中信出版集团 / 2016-10 / 69.00元

本书描绘了一位多姿多彩的人物将与生俱来的激情与成熟的管理方式相结合,打造出史上最有价值、最受消费者追捧的公司,这本书将彻底改变我们看待乔布斯的方式。 本书推翻了关于史蒂夫·乔布斯的传说和陈词滥调,比如他是天才和混蛋的结合体,暴躁易怒、自私自利,怠慢朋友与家人。本书揭示了这位苹果联合创始人和CEO的家庭生活与职业生涯,并回答了一个关键问题:为什么如此轻狂傲慢、以至于被赶出苹果的年轻人能成为史上......一起来看看 《成为乔布斯》 这本书的介绍吧!

HTML 压缩/解压工具
HTML 压缩/解压工具

在线压缩/解压 HTML 代码

JSON 在线解析
JSON 在线解析

在线 JSON 格式化工具

MD5 加密
MD5 加密

MD5 加密工具