|
|
|
|
|
|
by MrJohz
666 days ago
|
|
|
cargo tree -i log@0.3.9
will show which dependencies require this particular version of log, and how they are transitively related to the main package. In this case, you would clearly see that the out-of-date dependency comes from package "b".There are equivalents for must other package managers that take this approach, and I've never found this a problem in practice. Of course, you still need to know that there's a vulnerability there in the first place, but that's why tools like NPM often integrate with vulnerability scanners so that they can check your dependencies as you install them. |
|
|