Limit exposure to dependencies weaknesses · mimblewimble/grin#2026

(5 留言) (1 反應) (0 負責人)Rust (4,876 star) (991 fork)batch import

good first issuehelp wantedtask

描述

I think we've all had this in mind for quite a while but this was a direct reminder (widely used npm package with newly injected malicious code):

https://github.com/dominictarr/event-stream/issues/116

I don't think we should worry about auditing every single of our dependencies and Rust does a good job at protecting us from some of these attacks. At this stage I'm also not too worried about crates.io getting hacked. But I do think we should at least make sure every single of our dependency is pinned to a specific version.

貢獻者指南

技術棧: rust
領域: security
議題類型: security
難度: 3
預計時間: 1-2 days
活動狀態: stale
清晰度: mostly clear
前置要求: Rust basicsCargo.tomldependency pinning concepts
新手友善度: 60
研究方向: The issue calls for pinning all dependencies to specific versions to mitigate supply chain attacks. First, examine the current Cargo.toml and Cargo.lock to identify unpinned dependencies. Then, research best practices for pinning in Rust, such as using exact versions or using `cargo update` to lock versions. The maintainers should decide on a policy and implement it in a PR that updates version specifiers. Consider also auditing if any dependencies already use [patch] or [replace] sections.