Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork3.4k
Add cargo-vet configuration to require audits of dependencies#41353
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Conversation
Signed-off-by: Jonathan Schwender <schwenderjonathan@gmail.com>
atouchet commentedDec 17, 2025
Does cargo-vet work with the Dependabot workflow at all? I can imagine that if we both automatically attempt to merge new dependency updates but also require dependencies to be audited that the result will be a large number of Dependabot PRs failing CI checks. |
jschwe commentedDec 18, 2025
If the new dependency is audited, either by
So yes, rhis will definitely influence the dependabot workflow, but then again that is half the point. We will need to tune this, and I'm not sure how configurable dependabot is yet, but if dependabot PRs first ran cargo vet, before anything else, then it wouldn't waste much resources. |
Uh oh!
There was an error while loading.Please reload this page.
This adds CI testing using cargo vet to audit dependencies
Seehttps://mozilla.github.io/cargo-vet/index.html for detailed documentation.
The initial policy is to trust audits performed by the following organizations:
Implications
This would mean that for every depedency update, it would either have to be verified by an audit performed by us or another org we trust. Alternatively, we can mark publishers / crates as trusted (for example for first-party crates maintained by the servo org).
Testing:Describe how this pull request is tested or why it doesn't require tests
Fixes:#34374