[dathinab]

There is also cargo vendor (which turns dependencies into path dependencies).

Sometimes if you do security sensitive stuff it can be a good option to either:

1. pin dependencies and give each dependency a review for suspicious code

2. vendor them in some cases (e.g. applying patches, or if pinning seems to not be good enough for whatever reason likely related to offline building)

If you are not a very security sensitive project but still worry about the supply chain then it may also be an option to pin/vendor some dependencies but e.g. trust `tokio`, `regex` or similar.

E.g. not pin some more trusted dependencies but then pin some small utility crate from a random person which you don't want to write yourself and is trivial/self contained enough so that you likely might not care about any updates to it (still include it into security scans check why it was updated etc.).