Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unused dependencies, dependency versions and security vulnerabilities with cargo #1674

Closed
mversic opened this issue Dec 3, 2021 · 2 comments
Closed

Unused dependencies, dependency versions and security vulnerabilities with cargo #1674

mversic opened this issue Dec 3, 2021 · 2 comments
Labels
Chore This is a small task that can be done at any point in time and is easier than others CI iroha2-dev The re-implementation of a BFT hyperledger in RUST

Comments

@mversic
Copy link
Contributor

mversic commented Dec 3, 2021
edited
Loading

Sometimes it happens that unused dependencies remain in our dependency tree. Also, sometimes it happens that we use some crates with known security vulnerabilities. It would be good to investigate and integrate into our CI tools that would help us circumvent these issues in production releases.

  • a project that contains various tools to help mitigate security vulnerabilities in cargo dependencies
  • a project to help us remove unused dependencies that crept into the codebase

An interesting workflow to execute:

  1. Run cargo update to update to the latest semver compatible version.
  2. Run cargo outdated --workspace --root-deps-only to find newer, possibly incompatible dependencies. Update those and fix code as needed.
  3. Run cargo tree --duplicate to show dependencies which come in multiple versions. Deduplicate those

The ability to manage dependencies for all workspace crates is not yet available in cargo. However, there is a tracking issue for this feature. Once available we will be able to deduplicate dependencies and metadata directives amongst Iroha workspace crates
@mversic mversic added good first issue Good for newcomers dependencies CI iroha2-dev The re-implementation of a BFT hyperledger in RUST and removed good first issue Good for newcomers labels Dec 3, 2021
@mversic mversic changed the title Unused dependencies and vulnerabilities with cargo Unused dependencies and security vulnerabilities with cargo Dec 4, 2021
@mversic mversic changed the title Unused dependencies and security vulnerabilities with cargo Unused dependencies, dependency versions and security vulnerabilities with cargo Dec 5, 2021
@appetrosyan appetrosyan added the Chore This is a small task that can be done at any point in time and is easier than others label Jun 8, 2022
@mversic
Copy link
Contributor Author

mversic commented Jun 9, 2022

this should come in handy

@appetrosyan
Copy link
Contributor

Undepend does a great job

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Chore This is a small task that can be done at any point in time and is easier than others CI iroha2-dev The re-implementation of a BFT hyperledger in RUST
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@appetrosyan @mversic