Run cargo audit by default

Question

Run cargo audit by default

Opened this issue 5 years ago · 3 comments

Would be great to turn CI red on vulnerable dependencies.

Answer 1 · 2019-09-03T15:14:47.000Z

Thoughts on CI vs a bot? Dependabot can automatically create PRs for security vulnerabilities which is more proactive than the CI which is in response to a PR, master commit, tag, and/or a schedule.

Ouch, looks like they don't offer pre-built binaries and seem to be against it. The slowdown caused by that seems bad from a defaults perspective.

Answer 2 · 2019-09-03T18:22:52.000Z

It's too bad that Azure doesn't have caching yet.

I basically agree with the author that we should get cargo-audit into cargo proper.

Answer 3 · 2019-09-03T18:56:22.000Z

At least caching is in Preview