undefined | Better HN

0 pointsr2vcap1d ago0 comments

From a supply-chain perspective, Cargo is still in the same broad risk category as npm and PyPI: installing packages means trusting externally published code, including code that may execute during build or installation.

Rather than looking for someone to blame - in this case, GitHub - we should focus on constructive ways to harden the ecosystem.

0 comments

1 comments · 1 top-level

rndhouse1d ago

I'm working on a tool for collaboratively reviewing Rust crate dependencies: https://github.com/thirdpass-org/thirdpass

Also supports npm, PyPI, and Ansible Galaxy.

j / k navigate · click thread line to collapse