cargo-acl / cackle for 3rd party transient deps
Some time ago there was a situation I was across where serde started to use binary blobs which we could not reproduce.
This represents risk with transient dependencies - given Rust has rich ecosystem but yet pose it's own problems incl. with build.rs's
Somebody I know made a tool that caught these new blobs and which may be useful for creating ACL what the transient deps can do
https://github.com/cackle-rs/cackle
Ideally this would be ACL would be in force in both dev, CI and release to protect all environments across the way