[rockdoe]

FYI Google and Mozilla audit all their dependencies and share them:

* https://chromium.googlesource.com/chromiumos/third_party/rus...

* https://searchfox.org/mozilla-central/source/supply-chain/au...

It's quite likely that most of your dependencies were already audited.

[meragrin_]

So what in there guarantees I can get the same thing they audited?

[GrumpySloth]

Version numbers. You can’t modify an already-published version of a Rust crate on crates.io.

[palata]

Who in practice pins their dependencies (transitive included) on audited versions?

[rockdoe]

Small companies with little development experience like Google and Mozilla.

(You can check the files I linked and see audits between deltas for minor version updates)

[palata]

I guess my point was: "because [some teams at] Google/Mozilla do it right does not mean that everybody does it right".