These reviews are from cargo-vet. To add your review, set up cargo-vet and submit your URL to its registry.

0.18.1 — diff review from 0.17.0 only (current) safe-to-deploy

From bytecodealliance/wasmtime. By Alex Crichton.

No major changes, no unsafe code here.

0.18.1 (current) unknown

From kornelski/crev-proofs copy of git.savannah.gnu.org.

Packaged for Guix (crates-io)

The current version of CargoMetadata is 0.18.1.

0.17.0 — diff review from 0.15.4 only (older version) safe-to-deploy

From EmbarkStudios/rust-ecosystem. By Embark.

No notable changes

0.15.3 (older version) safe-to-deploy

From bytecodealliance/wasmtime. By Pat Hickey.

no build, no unsafe, inputs to cargo command are reasonably sanitized

0.15.3 (older version) safe-to-deploy

From mozilla/supply-chain copy of hg. Audited without comment by Mike Hommey.

0.15.2 (older version) safe-to-deploy

From mozilla/supply-chain copy of hg. By Jan-Erik Rediger.

I reviewed the whole code base. Parser for the output of cargo-metadata, relying mostly on serde. No unsafe code used.

0.15.2 — diff review from 0.14.2 only (older version) safe-to-deploy

From mozilla/supply-chain copy of mozilla/cargo-vet. Audited without comment by Nika Layzell.

cargo-vet does not verify reviewers' identity. You have to fully trust the source the audits are from.

safe-to-deploy (implies safe-to-run)

This crate will not introduce a serious security vulnerability to production software exposed to untrusted input. More…

safe-to-run

Implied by other criteria

This crate can be compiled, run, and tested on a local workstation or in controlled automation without surprising consequences. More…

unknown

May have been packaged automatically without a review

---

These reviews are from Crev, a distributed system for code reviews. To add your review, set up cargo-crev.

The current version of CargoMetadata is 0.18.1.

0.9.1 (older version) Rating: Positive Thoroughness: Medium Understanding: Medium

by MaulingMonkey on 2019-12-22

Parse cargo metadata and cargo build --message-format=json output.

Pros:

• Way better than parsing it yourself
• Safe code

Cons:

• If you're feeling particularly paranoid, cargo metadata could be passed bad feature names (see 0.8.2 review for details)

0.9.1

crev
thoroughness	medium
understanding	medium
rating	positive

Diff	Rating	Notes
.cargo_vcs_info.json	+1
Cargo.toml	+1
Cargo.toml.orig	+1
src/dependency.rs	+1
src/lib.rs	+1
src/messages.rs	+1
tests/test_samples.rs	+1

0.9.0 (older version) Rating: Positive Thoroughness: Medium Understanding: Medium

by MaulingMonkey on 2019-12-22

Show review…

Parse cargo metadata and cargo build --message-format=json output.

0.9.0

Diff	Rating	Notes
.cargo_vcs_info.json	+1
Cargo.toml	+1
Cargo.toml.orig	+1
src/errors.rs	+1	Added Error::NoJson
src/lib.rs	0	Various safe but breaking code changes
src/messages.rs	+1
tests/selftest.rs	+1
tests/test_samples.rs	+1

0.8.2

File	Rating	Notes
src/dependency.rs	+1
src/diagnostic.rs	+1
src/errors.rs	+1
src/lib.rs	0	MetadataCommand makes me slightly paranoid
src/messages.rs	+1
tests/selftest.rs	+1
tests/test_samples.rs	+1
.cargo_vcs_info.json	+1
.cargo-ok	+1
.gitignore	+1
.travis.yml	+1	1.32.0 MSRV
Cargo.toml	+1
Cargo.toml.orig	+1
LICENSE-MIT	+1
README.md	+1

Other	Rating	Notes
unsafe	+1	None
fs	+1	None
io	0	Can invoke cargo metadata. Looks sane, but if passed malicious feature names etc...
docs	+1
tests	+1

src/lib.rs

Line	What	Notes
495	exec	shell access, and I'm paranoid about shell param escaping...
500	exec	shell access, and I'm paranoid about shell param escaping...