1 unstable release
0.0.0 | Oct 17, 2023 |
---|
#3 in #lift
33KB
448 lines
Head's up!: Lift is under early development, and many or all of the features described in this document aren't implemented...yet!
A tool for hosting, auditing, and mirroring
cargo
Crates
from crates.io
.
Usage: Auditing Crates
Lift combines several linting and auditing tools into one
command (cargo lift check
):
-
cargo fmt --check
(Local Only), which checks your code for formatting discrepancies. -
cargo clippy
(Local Only), which checks your code for "smells", simple mistakes, and maintainability issues. -
cargo geiger
(Local Only), which checks your code for usage of theunsafe
keyword. -
cargo audit
, which checks for security advisories related to a Crate or its dependencies via the RustSec Advisory Database. -
cargo vet
orcargo crev
, which check for failing audits related to a Crate or its dependencies via a distributed set of human-certified code reviews.
Auditing a Local Cargo.toml
To audit a local Crate or Workspace
containing a Cargo.toml
file, run:
cargo lift check
To skip auditing non-Workspace dependencies
of the Cargo.toml
file (e.g., all 3rd-party code), run:
cargo lift check --relaxed
When the command exits, Lift will print a report
flagging any checks that failed for the Cargo.toml
(and its dependencies, if not --relaxed
).
Usage: Mirroring crates.io
Lift can download and host ("mirror") copies
of any Crate hosted on crates.io
.
Mirroring Every Crate from crates.io
Warning: Although Lift doesn't download every version of every Crate from
crates.io
(by default), it will still download many Crates. This mirroring operation can easily eat up all your network bandwidth and disk space!
To mirror the entire crates.io
index, run:
cargo lift mirror * --from crates.io
Each mirrored Crate will be available in the local Lift repository after this command exits.
How Mirrored Versions are Selected
For each Crate, only one version is guaranteed to be mirrored. When selecting this version, Lift will:
- Prefer versions which would pass the
cargo lift check --relaxed
command. - Prefer versions which aren't yanked.
- Prefer the highest ("latest") version.
Lift will mirror additional versions of a Crate if they are required to satify direct or indirect ("transitive") dependencies of another Crate.
By default, Lift will ignore any Crates which
would fail to pass the cargo lift check --relaxed
command, unless those Crates are required to satisfy
a transitive dependency in another Crate.
Mirroring One Crate from crates.io
To mirror a specific Crate, and all of it's direct
and indirect dependencies, from crates.io
, run:
cargo lift mirror tokio@1.29.1 --from crates.io
In this example, version 1.29.1
of the tokio
crate would be mirrored from crates.io
, along
with each of its transitive dependencies.
The mirror
sub-command accepts any version string
that would normally be used in a Cargo-toml
. For
example, *
could be used instead of 1.29.1
in the
example above, causing Lift to select a version
automatically.
License and Contributions Notice
Except where otherwise noted, this project is Copyright (C) 2023 Brandon Sanders [hello@crahda.cc], and licensed under the AGPL-3.0-only.
When submitting a contribution to this repository, you
grant the copyright holder(s) of this repository a
non-exclusive, worldwide, royalty-free license to make,
use, sell, offer for sale, import and otherwise run, modify,
and propagate the contents of your "contributor version",
as defined in section 11 of the AGPL-3.0-only
license.
Dependencies
~18–31MB
~548K SLoC