Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

23.13 Security Considerations

While Crates.io and Cargo provide a convenient way to share and use code, dependency packages introduce potential security risks (supply chain attacks).

  • Vet Dependencies: Before adding a new dependency package, especially from less-known authors, check its source repository (e.g., on GitHub), download count on Crates.io, and community feedback if possible.
  • Keep Dependencies Updated: Regularly update dependencies using cargo update to receive bug fixes and security patches in dependency packages. Use cargo outdated to identify packages needing updates.
  • Audit Dependencies: Use tools like cargo audit (from the rustsec/cargo-audit package) to check your Cargo.lock file against the RustSec Advisory Database for known vulnerabilities in your dependency packages. Integrate this into your CI pipeline. 
    cargo install cargo-audit # Install the audit package
cargo audit
  • Minimize Dependencies: Avoid adding dependency packages unnecessarily. Fewer dependencies mean a smaller attack surface. Review dependencies periodically and remove unused ones (cargo-machete package can help find unused dependencies).