use cargo-audit in CI to detect dependencies with known "vulnerabilities" (!41) · Merge requests · The Tor Project / Core / Arti

trinity-1686a requested to merge trinity-1686a/arti:cargo-audit into main Jul 20, 2021

fix #152 (closed)
This patch-set makes so cargo-audit is run in CI to check for known vulnerabilities in dependencies.

Also patch the issues it found (both unmaintained crates).

https://rustsec.org/advisories/RUSTSEC-2018-0017
https://rustsec.org/advisories/RUSTSEC-2020-0077

cargo install cargo-audit is a bit long to run, it could use being cached or run in an environment in which it's preinstalled. I did not find an official Docker image containing it, but there are some unofficial ones which I can set to use if wanted.

use cargo-audit in CI to detect dependencies with known "vulnerabilities"

Merge request reports