Security considerations - Rust for C-Programmers

23.13 Security Considerations

While Crates.io and Cargo provide a convenient way to share and use code, dependency packages introduce potential security risks (supply chain attacks).

Vet Dependencies: Before adding a new dependency package, especially from less-known authors, check its source repository (e.g., on GitHub), download count on Crates.io, and community feedback if possible.
Keep Dependencies Updated: Regularly update dependencies using cargo update to receive bug fixes and security patches in dependency packages. Use cargo outdated to identify packages needing updates.
Audit Dependencies: Use tools like cargo audit (from the rustsec/cargo-audit package) to check your Cargo.lock file against the RustSec Advisory Database for known vulnerabilities in your dependency packages. Integrate this into your CI pipeline.
```
cargo install cargo-audit # Install the audit package
cargo audit
```
Minimize Dependencies: Avoid adding dependency packages unnecessarily. Fewer dependencies mean a smaller attack surface. Review dependencies periodically and remove unused ones (cargo-machete package can help find unused dependencies).