Consider using cargo-vendor #224
Comments
|
This seems most useful when you depend on git sources rather than crates on |
|
The main thing I've considered this for is making code changes in dependencies visible as part of a PR review process. I think the practicality of that will depend on the nature of your project, and this one in particular has enough dependencies that may be impractical, but as they say, "many eyes make all bugs shallow", and if the code changes in dependencies are visible in each PR to the project, even if e.g. trojans aren't spotted right away prior to merging, you at least increase the probability of someone else reviewing the PR noticing. |
|
I don't think we're going to use this now |
As of today's 1.37 release, cargo-vendor (https://crates.io/crates/cargo-vendor) is now available in Cargo by default. If we wish to embrace the full monorepo philosophy we could use this to vendor all of our dependencies directly, which would at least suffice to prevent unforeseen version conflicts if a user manages to compile using a combination of versions that we're not. May want to wait on #140, although this does serve as a nice way to easily visualize how many libraries we're currently transitively depending on, which may spur on that effort. :)
The text was updated successfully, but these errors were encountered: