In a recent analysis, Adam Harvey found that among the 999 most popular crates on crates.io, around 17% contained code that do not match their code repository.

How?

• buy compromised cookies or credentials
• typosquatting or misleading create names
• macros

How to solve?
Again, like Go: having a comprehensive standard library.

It should have: base32, base64, bytes, crc32 and crc64, crypto, gzip, hex, http, json, net, rand, regex, tar, tls, uuid, zip, zstd.

How to fix now?

• Use Dev Containers!
• Password manager for the SSH keys and secrets
• fetch the dependencies from source
• audit the dependencies: cargo-audit and cargo-vet

The post landed today on Lobsters