#cargo #hosting #lift #auditing #mirroring #version #io

bin+lib cargo-lift

A tool for hosting, mirroring, and auditing Crates

1 unstable release

0.0.0 Oct 17, 2023

#3 in #lift

AGPL-3.0-only

33KB
448 lines

Head's up!: Lift is under early development, and many or all of the features described in this document aren't implemented...yet!

A tool for hosting, auditing, and mirroring cargo Crates from crates.io.

Usage: Auditing Crates

Lift combines several linting and auditing tools into one command (cargo lift check):

  • cargo fmt --check (Local Only), which checks your code for formatting discrepancies.

  • cargo clippy (Local Only), which checks your code for "smells", simple mistakes, and maintainability issues.

  • cargo geiger (Local Only), which checks your code for usage of the unsafe keyword.

  • cargo audit, which checks for security advisories related to a Crate or its dependencies via the RustSec Advisory Database.

  • cargo vet or cargo crev, which check for failing audits related to a Crate or its dependencies via a distributed set of human-certified code reviews.

Auditing a Local Cargo.toml

To audit a local Crate or Workspace containing a Cargo.toml file, run:

cargo lift check

To skip auditing non-Workspace dependencies of the Cargo.toml file (e.g., all 3rd-party code), run:

cargo lift check --relaxed

When the command exits, Lift will print a report flagging any checks that failed for the Cargo.toml (and its dependencies, if not --relaxed).

Usage: Mirroring crates.io

Lift can download and host ("mirror") copies of any Crate hosted on crates.io.

Mirroring Every Crate from crates.io

Warning: Although Lift doesn't download every version of every Crate from crates.io (by default), it will still download many Crates. This mirroring operation can easily eat up all your network bandwidth and disk space!

To mirror the entire crates.io index, run:

cargo lift mirror * --from crates.io

Each mirrored Crate will be available in the local Lift repository after this command exits.

How Mirrored Versions are Selected

For each Crate, only one version is guaranteed to be mirrored. When selecting this version, Lift will:

  1. Prefer versions which would pass the cargo lift check --relaxed command.
  2. Prefer versions which aren't yanked.
  3. Prefer the highest ("latest") version.

Lift will mirror additional versions of a Crate if they are required to satify direct or indirect ("transitive") dependencies of another Crate.

By default, Lift will ignore any Crates which would fail to pass the cargo lift check --relaxed command, unless those Crates are required to satisfy a transitive dependency in another Crate.

Mirroring One Crate from crates.io

To mirror a specific Crate, and all of it's direct and indirect dependencies, from crates.io, run:

cargo lift mirror tokio@1.29.1 --from crates.io

In this example, version 1.29.1 of the tokio crate would be mirrored from crates.io, along with each of its transitive dependencies.

The mirror sub-command accepts any version string that would normally be used in a Cargo-toml. For example, * could be used instead of 1.29.1 in the example above, causing Lift to select a version automatically.

License and Contributions Notice

Except where otherwise noted, this project is Copyright (C) 2023 Brandon Sanders [hello@crahda.cc], and licensed under the AGPL-3.0-only.

When submitting a contribution to this repository, you grant the copyright holder(s) of this repository a non-exclusive, worldwide, royalty-free license to make, use, sell, offer for sale, import and otherwise run, modify, and propagate the contents of your "contributor version", as defined in section 11 of the AGPL-3.0-only license.

Dependencies

~18–31MB
~548K SLoC